Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uMlLpvdLRU.exe

Overview

General Information

Sample name:uMlLpvdLRU.exe
renamed because original name is a hash value
Original sample name:7ea98bd7f6a69b385310f5eaa86b6828.exe
Analysis ID:1532438
MD5:7ea98bd7f6a69b385310f5eaa86b6828
SHA1:ab3ee16a99f901336fa6221f4fdc84e562154841
SHA256:930b96bbec596e80fd6b6e4a37c34000113e1affb5f1aadbce2049f5800a6fce
Tags:exeuser-abuse_ch
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

  • System is w10x64
  • uMlLpvdLRU.exe (PID: 5748 cmdline: "C:\Users\user\Desktop\uMlLpvdLRU.exe" MD5: 7EA98BD7F6A69B385310F5EAA86B6828)
    • cmd.exe (PID: 1432 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yuzqifwu\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5616 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bndqedvz.exe" C:\Windows\SysWOW64\yuzqifwu\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7072 cmdline: "C:\Windows\System32\sc.exe" create yuzqifwu binPath= "C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d\"C:\Users\user\Desktop\uMlLpvdLRU.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6480 cmdline: "C:\Windows\System32\sc.exe" description yuzqifwu "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6248 cmdline: "C:\Windows\System32\sc.exe" start yuzqifwu MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 6008 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • bndqedvz.exe (PID: 6368 cmdline: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d"C:\Users\user\Desktop\uMlLpvdLRU.exe" MD5: 491E03099055090A2BCF55796B5D0830)
    • svchost.exe (PID: 1600 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • svchost.exe (PID: 3088 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7092 cmdline: C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
00000000.00000002.4595280010.00000000005B9000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x1708:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000C.00000003.2433806648.0000000000D60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000C.00000003.2433806648.0000000000D60000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000003.2433806648.0000000000D60000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
    • 0xed10:$s2: loader_id
    • 0xed40:$s3: start_srv
    • 0xed70:$s4: lid_file_upd
    • 0xed64:$s5: localcfg
    • 0xf494:$s6: Incorrect respons
    • 0xf574:$s7: mx connect error
    • 0xf4f0:$s8: Error sending command (sent = %d/%d)
    • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      0.2.uMlLpvdLRU.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        0.2.uMlLpvdLRU.exe.400000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        0.2.uMlLpvdLRU.exe.400000.0.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
        • 0x10310:$s2: loader_id
        • 0x10340:$s3: start_srv
        • 0x10370:$s4: lid_file_upd
        • 0x10364:$s5: localcfg
        • 0x10a94:$s6: Incorrect respons
        • 0x10b74:$s7: mx connect error
        • 0x10af0:$s8: Error sending command (sent = %d/%d)
        • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        12.3.bndqedvz.exe.d60000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
          12.3.bndqedvz.exe.d60000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
          • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
          • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
          Click to see the 39 entries

          System Summary

          barindex
          Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d"C:\Users\user\Desktop\uMlLpvdLRU.exe", ParentImage: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe, ParentProcessId: 6368, ParentProcessName: bndqedvz.exe, ProcessCommandLine: svchost.exe, ProcessId: 1600, ProcessName: svchost.exe
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create yuzqifwu binPath= "C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d\"C:\Users\user\Desktop\uMlLpvdLRU.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create yuzqifwu binPath= "C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d\"C:\Users\user\Desktop\uMlLpvdLRU.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\uMlLpvdLRU.exe", ParentImage: C:\Users\user\Desktop\uMlLpvdLRU.exe, ParentProcessId: 5748, ParentProcessName: uMlLpvdLRU.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create yuzqifwu binPath= "C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d\"C:\Users\user\Desktop\uMlLpvdLRU.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7072, ProcessName: sc.exe
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.11.0, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 1600, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49911
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d"C:\Users\user\Desktop\uMlLpvdLRU.exe", ParentImage: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe, ParentProcessId: 6368, ParentProcessName: bndqedvz.exe, ProcessCommandLine: svchost.exe, ProcessId: 1600, ProcessName: svchost.exe
          Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1600, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\yuzqifwu
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create yuzqifwu binPath= "C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d\"C:\Users\user\Desktop\uMlLpvdLRU.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create yuzqifwu binPath= "C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d\"C:\Users\user\Desktop\uMlLpvdLRU.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\uMlLpvdLRU.exe", ParentImage: C:\Users\user\Desktop\uMlLpvdLRU.exe, ParentProcessId: 5748, ParentProcessName: uMlLpvdLRU.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create yuzqifwu binPath= "C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d\"C:\Users\user\Desktop\uMlLpvdLRU.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7072, ProcessName: sc.exe
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 3088, ProcessName: svchost.exe
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: uMlLpvdLRU.exeAvira: detected
          Source: C:\Users\user\AppData\Local\Temp\bndqedvz.exeAvira: detection malicious, Label: TR/AD.Tofsee.fkivj
          Source: 12.2.bndqedvz.exe.6b0e67.1.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
          Source: C:\Users\user\AppData\Local\Temp\bndqedvz.exeReversingLabs: Detection: 87%
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe (copy)ReversingLabs: Detection: 87%
          Source: uMlLpvdLRU.exeReversingLabs: Detection: 78%
          Source: uMlLpvdLRU.exeVirustotal: Detection: 77%Perma Link
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
          Source: C:\Users\user\AppData\Local\Temp\bndqedvz.exeJoe Sandbox ML: detected
          Source: uMlLpvdLRU.exeJoe Sandbox ML: detected

          Compliance

          barindex
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeUnpacked PE file: 0.2.uMlLpvdLRU.exe.400000.0.unpack
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeUnpacked PE file: 12.2.bndqedvz.exe.400000.0.unpack
          Source: uMlLpvdLRU.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

          Change of critical system settings

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\yuzqifwuJump to behavior

          Networking

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.109 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 185.228.234.180 443Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.40.26 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.166.26 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.168.26 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.74 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 80.66.75.11 443Jump to behavior
          Source: Malware configuration extractorURLs: vanaheim.cn:443
          Source: Malware configuration extractorURLs: jotunheim.name:443
          Source: Joe Sandbox ViewIP Address: 52.101.40.26 52.101.40.26
          Source: Joe Sandbox ViewIP Address: 52.101.11.0 52.101.11.0
          Source: Joe Sandbox ViewIP Address: 67.195.228.109 67.195.228.109
          Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
          Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
          Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
          Source: Joe Sandbox ViewASN Name: YAHOO-GQ1US YAHOO-GQ1US
          Source: global trafficTCP traffic: 192.168.2.6:49911 -> 52.101.11.0:25
          Source: global trafficTCP traffic: 192.168.2.6:49987 -> 67.195.228.109:25
          Source: global trafficTCP traffic: 192.168.2.6:49989 -> 64.233.166.26:25
          Source: global trafficTCP traffic: 192.168.2.6:49993 -> 217.69.139.150:25
          Source: global trafficTCP traffic: 192.168.2.6:49999 -> 52.101.40.26:25
          Source: global trafficTCP traffic: 192.168.2.6:50001 -> 67.195.204.74:25
          Source: global trafficTCP traffic: 192.168.2.6:50003 -> 142.251.168.26:25
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
          Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
          Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
          Source: global trafficDNS traffic detected: DNS query: yahoo.com
          Source: global trafficDNS traffic detected: DNS query: mta5.am0.yahoodns.net
          Source: global trafficDNS traffic detected: DNS query: google.com
          Source: global trafficDNS traffic detected: DNS query: smtp.google.com
          Source: global trafficDNS traffic detected: DNS query: mail.ru
          Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
          Source: global trafficDNS traffic detected: DNS query: jotunheim.name
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
          Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
          Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
          Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
          Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Source: Yara matchFile source: 0.2.uMlLpvdLRU.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.bndqedvz.exe.d60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.uMlLpvdLRU.exe.2080e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.uMlLpvdLRU.exe.20a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.6b0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.svchost.exe.390000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.svchost.exe.390000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.d60000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.d60000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.uMlLpvdLRU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000003.2433806648.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.2212033064.00000000020A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2738933008.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: uMlLpvdLRU.exe PID: 5748, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: bndqedvz.exe PID: 6368, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1600, type: MEMORYSTR

          System Summary

          barindex
          Source: 0.2.uMlLpvdLRU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.2.uMlLpvdLRU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 12.3.bndqedvz.exe.d60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 12.3.bndqedvz.exe.d60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.2.uMlLpvdLRU.exe.2080e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.2.uMlLpvdLRU.exe.2080e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.3.uMlLpvdLRU.exe.20a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.3.uMlLpvdLRU.exe.20a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 12.2.bndqedvz.exe.6b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 12.2.bndqedvz.exe.6b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 12.3.bndqedvz.exe.d60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 12.3.bndqedvz.exe.d60000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 12.2.bndqedvz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 12.2.bndqedvz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 18.2.svchost.exe.390000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 18.2.svchost.exe.390000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.2.uMlLpvdLRU.exe.2080e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.2.uMlLpvdLRU.exe.2080e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 18.2.svchost.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 18.2.svchost.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 12.2.bndqedvz.exe.d60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 12.2.bndqedvz.exe.d60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 12.2.bndqedvz.exe.6b0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 12.2.bndqedvz.exe.6b0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.3.uMlLpvdLRU.exe.20a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.3.uMlLpvdLRU.exe.20a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 12.2.bndqedvz.exe.d60000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 12.2.bndqedvz.exe.d60000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.2.uMlLpvdLRU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.2.uMlLpvdLRU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 12.2.bndqedvz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 12.2.bndqedvz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000000.00000002.4595280010.00000000005B9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000000C.00000003.2433806648.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000C.00000003.2433806648.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000C.00000002.2737258671.00000000006E3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000000.00000003.2212033064.00000000020A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000000.00000003.2212033064.00000000020A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0000000C.00000002.2738933008.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000C.00000002.2738933008.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\yuzqifwu\Jump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_0040C9130_2_0040C913
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_0041A3800_2_0041A380
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_0040C91312_2_0040C913
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_0041A38012_2_0041A380
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E342012_2_006E3420
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E323012_2_006E3230
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E361812_2_006E3618
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E34E812_2_006E34E8
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E32F812_2_006E32F8
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E348812_2_006E3488
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E329012_2_006E3290
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E316812_2_006E3168
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E335812_2_006E3358
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E355012_2_006E3550
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E31C812_2_006E31C8
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E33C012_2_006E33C0
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E35B012_2_006E35B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_0039C91318_2_0039C913
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: String function: 0040EE2A appears 40 times
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: String function: 00402544 appears 53 times
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: String function: 020827AB appears 35 times
          Source: uMlLpvdLRU.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 0.2.uMlLpvdLRU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.2.uMlLpvdLRU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 12.3.bndqedvz.exe.d60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 12.3.bndqedvz.exe.d60000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.2.uMlLpvdLRU.exe.2080e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.2.uMlLpvdLRU.exe.2080e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.3.uMlLpvdLRU.exe.20a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.3.uMlLpvdLRU.exe.20a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 12.2.bndqedvz.exe.6b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 12.2.bndqedvz.exe.6b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 12.3.bndqedvz.exe.d60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 12.3.bndqedvz.exe.d60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 12.2.bndqedvz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 12.2.bndqedvz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 18.2.svchost.exe.390000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 18.2.svchost.exe.390000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.2.uMlLpvdLRU.exe.2080e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.2.uMlLpvdLRU.exe.2080e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 18.2.svchost.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 18.2.svchost.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 12.2.bndqedvz.exe.d60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 12.2.bndqedvz.exe.d60000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 12.2.bndqedvz.exe.6b0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 12.2.bndqedvz.exe.6b0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.3.uMlLpvdLRU.exe.20a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.3.uMlLpvdLRU.exe.20a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 12.2.bndqedvz.exe.d60000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 12.2.bndqedvz.exe.d60000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.2.uMlLpvdLRU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.2.uMlLpvdLRU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 12.2.bndqedvz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 12.2.bndqedvz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000000.00000002.4595280010.00000000005B9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000000C.00000003.2433806648.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000C.00000003.2433806648.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000C.00000002.2737258671.00000000006E3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000000.00000003.2212033064.00000000020A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000000.00000003.2212033064.00000000020A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0000000C.00000002.2738933008.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000C.00000002.2738933008.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: uMlLpvdLRU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@24/3@12/9
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,CloseHandle,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_005BA736 CreateToolhelp32Snapshot,Module32First,0_2_005BA736
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_00399A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,18_2_00399A6B
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3380:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeFile created: C:\Users\user\AppData\Local\Temp\bndqedvz.exeJump to behavior
          Source: uMlLpvdLRU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: uMlLpvdLRU.exeReversingLabs: Detection: 78%
          Source: uMlLpvdLRU.exeVirustotal: Detection: 77%
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeFile read: C:\Users\user\Desktop\uMlLpvdLRU.exeJump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-17934
          Source: unknownProcess created: C:\Users\user\Desktop\uMlLpvdLRU.exe "C:\Users\user\Desktop\uMlLpvdLRU.exe"
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yuzqifwu\
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bndqedvz.exe" C:\Windows\SysWOW64\yuzqifwu\
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create yuzqifwu binPath= "C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d\"C:\Users\user\Desktop\uMlLpvdLRU.exe\"" type= own start= auto DisplayName= "wifi support"
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description yuzqifwu "wifi internet conection"
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start yuzqifwu
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d"C:\Users\user\Desktop\uMlLpvdLRU.exe"
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yuzqifwu\Jump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bndqedvz.exe" C:\Windows\SysWOW64\yuzqifwu\Jump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create yuzqifwu binPath= "C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d\"C:\Users\user\Desktop\uMlLpvdLRU.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description yuzqifwu "wifi internet conection"Jump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start yuzqifwuJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: msvcr100.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeSection loaded: msvcr100.dllJump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositorycore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: capabilityaccessmanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: capauthz.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wifidatacapabilityhandler.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wwapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cellulardatacapabilityhandler.dllJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

          Data Obfuscation

          barindex
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeUnpacked PE file: 0.2.uMlLpvdLRU.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeUnpacked PE file: 12.2.bndqedvz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeUnpacked PE file: 0.2.uMlLpvdLRU.exe.400000.0.unpack
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeUnpacked PE file: 12.2.bndqedvz.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_005BDA1E push 0000002Bh; iretd 0_2_005BDA24
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006F0653 push eax; retf 12_2_006F0642
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E7706 push 0000002Bh; iretd 12_2_006E770C
          Source: uMlLpvdLRU.exeStatic PE information: section name: .text entropy: 7.4254742701939

          Persistence and Installation Behavior

          barindex
          Source: unknownExecutable created and started: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe (copy)Jump to dropped file
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeFile created: C:\Users\user\AppData\Local\Temp\bndqedvz.exeJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe (copy)Jump to dropped file
          Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\yuzqifwuJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create yuzqifwu binPath= "C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d\"C:\Users\user\Desktop\uMlLpvdLRU.exe\"" type= own start= auto DisplayName= "wifi support"
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,18_2_0039199C
          Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 677Jump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15483
          Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_18-6424
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-19268
          Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_18-6126
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-18316
          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_18-7314
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15466
          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_18-7407
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-17950
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-15047
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeAPI coverage: 6.7 %
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeAPI coverage: 5.4 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 5588Thread sleep count: 677 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 5588Thread sleep time: -677000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 5588Thread sleep count: 200 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 5588Thread sleep time: -200000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_0041A380 GetSystemTimes followed by cmp: cmp dword ptr [004220dch], 0ah and CTI: jne 0041A5CFh0_2_0041A380
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_0041A380 GetSystemTimes followed by cmp: cmp dword ptr [004220dch], 0ah and CTI: jne 0041A5CFh12_2_0041A380
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,HeapCreate,GetTickCount,0_2_00401D96
          Source: svchost.exe, 00000012.00000002.4595103102.0000000002A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeAPI call chain: ExitProcess graph end nodegraph_0-15478
          Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_18-6418

          Anti Debugging

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_18-7652
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_12-19329
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_005BA013 push dword ptr fs:[00000030h]0_2_005BA013
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_0208092B mov eax, dword ptr fs:[00000030h]0_2_0208092B
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_02080D90 mov eax, dword ptr fs:[00000030h]0_2_02080D90
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006B092B mov eax, dword ptr fs:[00000030h]12_2_006B092B
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006B0D90 mov eax, dword ptr fs:[00000030h]12_2_006B0D90
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_006E3CFB push dword ptr fs:[00000030h]12_2_006E3CFB
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_00399A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,18_2_00399A6B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.109 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 185.228.234.180 443Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.40.26 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.166.26 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.168.26 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.74 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 80.66.75.11 443Jump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 390000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 390000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 390000Jump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 58D008Jump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yuzqifwu\Jump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bndqedvz.exe" C:\Windows\SysWOW64\yuzqifwu\Jump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create yuzqifwu binPath= "C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d\"C:\Users\user\Desktop\uMlLpvdLRU.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description yuzqifwu "wifi internet conection"Jump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start yuzqifwuJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 0.2.uMlLpvdLRU.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.bndqedvz.exe.d60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.uMlLpvdLRU.exe.2080e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.uMlLpvdLRU.exe.20a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.6b0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.svchost.exe.390000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.svchost.exe.390000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.d60000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.d60000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.uMlLpvdLRU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000003.2433806648.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.2212033064.00000000020A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2738933008.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: uMlLpvdLRU.exe PID: 5748, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: bndqedvz.exe PID: 6368, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1600, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 0.2.uMlLpvdLRU.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.bndqedvz.exe.d60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.uMlLpvdLRU.exe.2080e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.uMlLpvdLRU.exe.20a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.6b0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.svchost.exe.390000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.svchost.exe.390000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.d60000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.d60000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.uMlLpvdLRU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.bndqedvz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000003.2433806648.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.2212033064.00000000020A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2738933008.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: uMlLpvdLRU.exe PID: 5748, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: bndqedvz.exe PID: 6368, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1600, type: MEMORYSTR
          Source: C:\Users\user\Desktop\uMlLpvdLRU.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
          Source: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_003988B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,18_2_003988B0
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure1
          Valid Accounts
          41
          Native API
          1
          DLL Side-Loading
          1
          DLL Side-Loading
          3
          Disable or Modify Tools
          OS Credential Dumping12
          System Time Discovery
          Remote Services1
          Archive Collected Data
          1
          Ingress Tool Transfer
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Command and Scripting Interpreter
          1
          Valid Accounts
          1
          Valid Accounts
          1
          Deobfuscate/Decode Files or Information
          LSASS Memory1
          Account Discovery
          Remote Desktop ProtocolData from Removable Media12
          Encrypted Channel
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts3
          Service Execution
          14
          Windows Service
          1
          Access Token Manipulation
          3
          Obfuscated Files or Information
          Security Account Manager1
          File and Directory Discovery
          SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
          Windows Service
          22
          Software Packing
          NTDS15
          System Information Discovery
          Distributed Component Object ModelInput Capture112
          Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
          Process Injection
          1
          DLL Side-Loading
          LSA Secrets211
          Security Software Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
          Masquerading
          Cached Domain Credentials11
          Virtualization/Sandbox Evasion
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Valid Accounts
          DCSync1
          Process Discovery
          Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
          Virtualization/Sandbox Evasion
          Proc Filesystem1
          Application Window Discovery
          Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Access Token Manipulation
          /etc/passwd and /etc/shadow1
          System Owner/User Discovery
          Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
          Process Injection
          Network Sniffing1
          System Network Configuration Discovery
          Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532438 Sample: uMlLpvdLRU.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 47 yahoo.com 2->47 49 vanaheim.cn 2->49 51 7 other IPs or domains 2->51 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for dropped file 2->63 65 11 other signatures 2->65 8 bndqedvz.exe 2->8         started        11 uMlLpvdLRU.exe 2 2->11         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 file5 73 Detected unpacking (changes PE section rights) 8->73 75 Detected unpacking (overwrites its own PE header) 8->75 77 Found API chain indicative of debugger detection 8->77 83 3 other signatures 8->83 18 svchost.exe 1 8->18         started        45 C:\Users\user\AppData\Local\...\bndqedvz.exe, PE32 11->45 dropped 79 Uses netsh to modify the Windows network and firewall settings 11->79 81 Modifies the windows firewall 11->81 22 cmd.exe 1 11->22         started        25 netsh.exe 2 11->25         started        27 cmd.exe 2 11->27         started        29 3 other processes 11->29 signatures6 process7 dnsIp8 53 mta5.am0.yahoodns.net 67.195.228.109, 25 YAHOO-GQ1US United States 18->53 55 67.195.204.74, 25 YAHOO-3US United States 18->55 57 7 other IPs or domains 18->57 67 System process connects to network (likely due to code injection or exploit) 18->67 69 Found API chain indicative of debugger detection 18->69 71 Adds extensions / path to Windows Defender exclusion list (Registry) 18->71 43 C:\Windows\SysWOW64\...\bndqedvz.exe (copy), PE32 22->43 dropped 31 conhost.exe 22->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        37 conhost.exe 29->37         started        39 conhost.exe 29->39         started        41 conhost.exe 29->41         started        file9 signatures10 process11

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          uMlLpvdLRU.exe79%ReversingLabsWin32.Trojan.RedLineStealer
          uMlLpvdLRU.exe77%VirustotalBrowse
          uMlLpvdLRU.exe100%AviraTR/AD.Tofsee.riokt
          uMlLpvdLRU.exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\bndqedvz.exe100%AviraTR/AD.Tofsee.fkivj
          C:\Users\user\AppData\Local\Temp\bndqedvz.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\bndqedvz.exe88%ReversingLabsWin32.Trojan.GCleaner
          C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe (copy)88%ReversingLabsWin32.Trojan.GCleaner
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          NameIPActiveMaliciousAntivirus DetectionReputation
          mxs.mail.ru
          217.69.139.150
          truetrue
            unknown
            mta5.am0.yahoodns.net
            67.195.228.109
            truetrue
              unknown
              jotunheim.name
              80.66.75.11
              truetrue
                unknown
                microsoft-com.mail.protection.outlook.com
                52.101.11.0
                truetrue
                  unknown
                  vanaheim.cn
                  185.228.234.180
                  truetrue
                    unknown
                    smtp.google.com
                    64.233.166.26
                    truefalse
                      unknown
                      google.com
                      unknown
                      unknowntrue
                        unknown
                        yahoo.com
                        unknown
                        unknowntrue
                          unknown
                          mail.ru
                          unknown
                          unknowntrue
                            unknown
                            NameMaliciousAntivirus DetectionReputation
                            vanaheim.cn:443true
                              unknown
                              jotunheim.name:443true
                                unknown
                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs
                                IPDomainCountryFlagASNASN NameMalicious
                                52.101.40.26
                                unknownUnited States
                                8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                52.101.11.0
                                microsoft-com.mail.protection.outlook.comUnited States
                                8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                67.195.228.109
                                mta5.am0.yahoodns.netUnited States
                                36647YAHOO-GQ1UStrue
                                64.233.166.26
                                smtp.google.comUnited States
                                15169GOOGLEUSfalse
                                142.251.168.26
                                unknownUnited States
                                15169GOOGLEUSfalse
                                185.228.234.180
                                vanaheim.cnRussian Federation
                                64439ITOS-ASRUtrue
                                217.69.139.150
                                mxs.mail.ruRussian Federation
                                47764MAILRU-ASMailRuRUtrue
                                67.195.204.74
                                unknownUnited States
                                26101YAHOO-3UStrue
                                80.66.75.11
                                jotunheim.nameRussian Federation
                                20803RISS-ASRUtrue
                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1532438
                                Start date and time:2024-10-13 07:30:06 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 51s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:25
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:uMlLpvdLRU.exe
                                renamed because original name is a hash value
                                Original Sample Name:7ea98bd7f6a69b385310f5eaa86b6828.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@24/3@12/9
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 71
                                • Number of non-executed functions: 261
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240s for sample files taking high CPU consumption
                                • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                • Excluded IPs from analysis (whitelisted): 20.236.44.162, 20.112.250.133, 20.76.201.171, 20.70.246.20, 20.231.239.246
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtEnumerateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                TimeTypeDescription
                                01:32:24API Interceptor855x Sleep call for process: svchost.exe modified
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                52.101.40.26foufdsk.exeGet hashmaliciousTofseeBrowse
                                  UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                    igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                      .exeGet hashmaliciousUnknownBrowse
                                        setup.exeGet hashmaliciousTofseeBrowse
                                          lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                            DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                              Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                  file.exeGet hashmaliciousTofseeBrowse
                                                    52.101.11.06foBmRMlDy.exeGet hashmaliciousTofseeBrowse
                                                      rXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                                        RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                          ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                            knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                              bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                  vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                    AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                      DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                        67.195.228.109RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                          ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                            Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                              Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                file.exeGet hashmaliciousPhorpiexBrowse
                                                                                  file.exeGet hashmaliciousPhorpiexBrowse
                                                                                    RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                                                                                      gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                                        file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                          l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                                            185.228.234.180Crt09EgZK3.exeGet hashmaliciousTofseeBrowse
                                                                                              6foBmRMlDy.exeGet hashmaliciousTofseeBrowse
                                                                                                217.69.139.1506foBmRMlDy.exeGet hashmaliciousTofseeBrowse
                                                                                                  rXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                                                                                    874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                                      RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                                        ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                                          Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                                            knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                                              foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                                                bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                                                  Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    mta5.am0.yahoodns.net6foBmRMlDy.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 67.195.228.106
                                                                                                                    rXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 98.136.96.74
                                                                                                                    H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 67.195.204.79
                                                                                                                    ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 67.195.228.109
                                                                                                                    igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 67.195.228.110
                                                                                                                    fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 67.195.228.94
                                                                                                                    SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 98.136.96.91
                                                                                                                    vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 67.195.204.72
                                                                                                                    lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 98.136.96.91
                                                                                                                    I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                    • 67.195.204.73
                                                                                                                    jotunheim.nameRSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 80.66.75.11
                                                                                                                    vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 80.66.75.11
                                                                                                                    AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 80.66.75.11
                                                                                                                    kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 80.66.75.77
                                                                                                                    Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 80.66.75.77
                                                                                                                    L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 80.66.75.77
                                                                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 80.66.75.77
                                                                                                                    U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 80.66.75.77
                                                                                                                    t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 80.66.75.77
                                                                                                                    SecuriteInfo.com.Win32.BotX-gen.15544.10747.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 80.66.75.77
                                                                                                                    mxs.mail.ru6foBmRMlDy.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 217.69.139.150
                                                                                                                    OPgjjiInNK.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 94.100.180.31
                                                                                                                    rXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 217.69.139.150
                                                                                                                    2IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 94.100.180.31
                                                                                                                    H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 94.100.180.31
                                                                                                                    2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 94.100.180.31
                                                                                                                    874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 217.69.139.150
                                                                                                                    RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 217.69.139.150
                                                                                                                    ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 217.69.139.150
                                                                                                                    Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 217.69.139.150
                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    YAHOO-GQ1US6foBmRMlDy.exeGet hashmaliciousTofseeBrowse
                                                                                                                    • 67.195.228.106
                                                                                                                    na.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 98.137.186.231
                                                                                                                    na.elfGet hashmaliciousUnknownBrowse
                                                                                                                    • 98.139.117.51
                                                                                                                    na.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 98.137.77.120
                                                                                                                    Remittance_Regulvar.htmGet hashmaliciousUnknownBrowse
                                                                                                                    • 74.6.160.106
                                                                                                                    phish_alert_sp2_2.0.0.0.emlGet hashmaliciousPhisherBrowse
                                                                                                                    • 98.137.11.164
                                                                                                                    DocuSign-Docx.pdfGet hashmaliciousUnknownBrowse
                                                                                                                    • 98.137.11.164
                                                                                                                    27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.htmlGet hashmaliciousUnknownBrowse
                                                                                                                    • 98.137.11.163
                                                                                                                    https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                    • 98.137.11.164
                                                                                                                    Audio_Msg..00299229202324Transcript.htmlGet hashmaliciousUnknownBrowse
                                                                                                                    • 98.137.11.163
                                                                                                                    MICROSOFT-CORP-MSN-AS-BLOCKUSna.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 137.135.68.55
                                                                                                                    SecuriteInfo.com.Linux.Siggen.9999.5011.20467.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 20.170.240.224
                                                                                                                    KU4NMyi8i1.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 52.228.135.142
                                                                                                                    jYEvdBHMOI.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 143.65.66.173
                                                                                                                    o5DbX8v3ZW.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 20.18.185.9
                                                                                                                    YsI7t2OC5q.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 20.55.77.78
                                                                                                                    yQMBCvJVWp.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 52.225.230.108
                                                                                                                    PeleHfdpzX.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 20.197.35.131
                                                                                                                    ULRmk7oYR7.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 20.1.227.164
                                                                                                                    na.elfGet hashmaliciousUnknownBrowse
                                                                                                                    • 158.158.1.110
                                                                                                                    MICROSOFT-CORP-MSN-AS-BLOCKUSna.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 137.135.68.55
                                                                                                                    SecuriteInfo.com.Linux.Siggen.9999.5011.20467.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 20.170.240.224
                                                                                                                    KU4NMyi8i1.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 52.228.135.142
                                                                                                                    jYEvdBHMOI.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 143.65.66.173
                                                                                                                    o5DbX8v3ZW.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 20.18.185.9
                                                                                                                    YsI7t2OC5q.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 20.55.77.78
                                                                                                                    yQMBCvJVWp.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 52.225.230.108
                                                                                                                    PeleHfdpzX.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 20.197.35.131
                                                                                                                    ULRmk7oYR7.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 20.1.227.164
                                                                                                                    na.elfGet hashmaliciousUnknownBrowse
                                                                                                                    • 158.158.1.110
                                                                                                                    No context
                                                                                                                    No context
                                                                                                                    Process:C:\Users\user\Desktop\uMlLpvdLRU.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):10786816
                                                                                                                    Entropy (8bit):5.269688553800493
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:pp+Le6666666666666666666666666666666666666666666666666666666666T:p
                                                                                                                    MD5:491E03099055090A2BCF55796B5D0830
                                                                                                                    SHA1:296C19B55B83B7406C31715177974D7E59312808
                                                                                                                    SHA-256:C4D820B04DB007D9E2A56C83FDA9C8174FCA33C3C4844F6AA04E7210DB2B911A
                                                                                                                    SHA-512:964916B69C34A75C542000C19D822B6EF0F00AB358CE5082C5A88786A123E100EF2A80F7240A9C63286D99A0EF2AAA3123D807A75E2AE36EFD74075180AA20FA
                                                                                                                    Malicious:true
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 88%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?H..lH..lH..l.QlI..l'.blQ..l'.WlZ..l'.cl-..lA.ZlM..lH..l9..l'.flI..l'.SlI..l'.TlI..lRichH..l........................PE..L.....Oe.....................h....................@..........................0..................................................<....P...............................................................................................................text............................... ..`.rdata...'.......(..................@..@.data...@b....... ..................@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):10786816
                                                                                                                    Entropy (8bit):5.269688553800493
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:pp+Le6666666666666666666666666666666666666666666666666666666666T:p
                                                                                                                    MD5:491E03099055090A2BCF55796B5D0830
                                                                                                                    SHA1:296C19B55B83B7406C31715177974D7E59312808
                                                                                                                    SHA-256:C4D820B04DB007D9E2A56C83FDA9C8174FCA33C3C4844F6AA04E7210DB2B911A
                                                                                                                    SHA-512:964916B69C34A75C542000C19D822B6EF0F00AB358CE5082C5A88786A123E100EF2A80F7240A9C63286D99A0EF2AAA3123D807A75E2AE36EFD74075180AA20FA
                                                                                                                    Malicious:true
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 88%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?H..lH..lH..l.QlI..l'.blQ..l'.WlZ..l'.cl-..lA.ZlM..lH..l9..l'.flI..l'.SlI..l'.TlI..lRichH..l........................PE..L.....Oe.....................h....................@..........................0..................................................<....P...............................................................................................................text............................... ..`.rdata...'.......(..................@..@.data...@b....... ..................@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):3773
                                                                                                                    Entropy (8bit):4.7109073551842435
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                                    MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                                    SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                                    SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                                    SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                                    Malicious:false
                                                                                                                    Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Entropy (8bit):6.400043831825845
                                                                                                                    TrID:
                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                    File name:uMlLpvdLRU.exe
                                                                                                                    File size:243'712 bytes
                                                                                                                    MD5:7ea98bd7f6a69b385310f5eaa86b6828
                                                                                                                    SHA1:ab3ee16a99f901336fa6221f4fdc84e562154841
                                                                                                                    SHA256:930b96bbec596e80fd6b6e4a37c34000113e1affb5f1aadbce2049f5800a6fce
                                                                                                                    SHA512:25f618ee87b577eec384fd49c40fe00dfa4caaf50b36227431ba838dd461024256a578857026d0942db495a6894b51a55d84190cbe78ab55f46c3c6471a0eb09
                                                                                                                    SSDEEP:3072:vRSPDpmSd0310NWYOTLGp+6vDYCm0aW9s/aL/MOvobE80Ogdh1ei4T6Ql:vyDpmSK3104/LS+alDz/MRP0Vdh1tQ
                                                                                                                    TLSH:4734290266E36815FD62C7314E3B82F5FA1EBCA29E75267E31147FDF18721A38552B02
                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?H..lH..lH..l..QlI..l'.blQ..l'.WlZ..l'.cl-..lA.ZlM..lH..l9..l'.flI..l'.SlI..l'.TlI..lRichH..l........................PE..L..
                                                                                                                    Icon Hash:738733b18ba383e4
                                                                                                                    Entrypoint:0x401a87
                                                                                                                    Entrypoint Section:.text
                                                                                                                    Digitally signed:false
                                                                                                                    Imagebase:0x400000
                                                                                                                    Subsystem:windows gui
                                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                    Time Stamp:0x654FCFD1 [Sat Nov 11 19:02:41 2023 UTC]
                                                                                                                    TLS Callbacks:
                                                                                                                    CLR (.Net) Version:
                                                                                                                    OS Version Major:5
                                                                                                                    OS Version Minor:1
                                                                                                                    File Version Major:5
                                                                                                                    File Version Minor:1
                                                                                                                    Subsystem Version Major:5
                                                                                                                    Subsystem Version Minor:1
                                                                                                                    Import Hash:5107e1e1d9cfa977f2674eeaca10490f
                                                                                                                    Instruction
                                                                                                                    call 00007F9294C05C52h
                                                                                                                    jmp 00007F9294C017DEh
                                                                                                                    mov edi, edi
                                                                                                                    push ebp
                                                                                                                    mov ebp, esp
                                                                                                                    sub esp, 00000328h
                                                                                                                    mov dword ptr [0041FAF0h], eax
                                                                                                                    mov dword ptr [0041FAECh], ecx
                                                                                                                    mov dword ptr [0041FAE8h], edx
                                                                                                                    mov dword ptr [0041FAE4h], ebx
                                                                                                                    mov dword ptr [0041FAE0h], esi
                                                                                                                    mov dword ptr [0041FADCh], edi
                                                                                                                    mov word ptr [0041FB08h], ss
                                                                                                                    mov word ptr [0041FAFCh], cs
                                                                                                                    mov word ptr [0041FAD8h], ds
                                                                                                                    mov word ptr [0041FAD4h], es
                                                                                                                    mov word ptr [0041FAD0h], fs
                                                                                                                    mov word ptr [0041FACCh], gs
                                                                                                                    pushfd
                                                                                                                    pop dword ptr [0041FB00h]
                                                                                                                    mov eax, dword ptr [ebp+00h]
                                                                                                                    mov dword ptr [0041FAF4h], eax
                                                                                                                    mov eax, dword ptr [ebp+04h]
                                                                                                                    mov dword ptr [0041FAF8h], eax
                                                                                                                    lea eax, dword ptr [ebp+08h]
                                                                                                                    mov dword ptr [0041FB04h], eax
                                                                                                                    mov eax, dword ptr [ebp-00000320h]
                                                                                                                    mov dword ptr [0041FA40h], 00010001h
                                                                                                                    mov eax, dword ptr [0041FAF8h]
                                                                                                                    mov dword ptr [0041F9F4h], eax
                                                                                                                    mov dword ptr [0041F9E8h], C0000409h
                                                                                                                    mov dword ptr [0041F9ECh], 00000001h
                                                                                                                    mov eax, dword ptr [0041E004h]
                                                                                                                    mov dword ptr [ebp-00000328h], eax
                                                                                                                    mov eax, dword ptr [0041E008h]
                                                                                                                    mov dword ptr [ebp-00000324h], eax
                                                                                                                    call dword ptr [000000E8h]
                                                                                                                    Programming Language:
                                                                                                                    • [C++] VS2010 build 30319
                                                                                                                    • [ASM] VS2010 build 30319
                                                                                                                    • [ C ] VS2010 build 30319
                                                                                                                    • [IMP] VS2008 SP1 build 30729
                                                                                                                    • [RES] VS2010 build 30319
                                                                                                                    • [LNK] VS2010 build 30319
                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1ce840x3c.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x250000x1d3c8.rsrc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x194.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                    .text0x10000x1977f0x19800ec7567fe8938f53a3781b3c97ef69087False0.7754193474264706data7.4254742701939IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                    .rdata0x1b0000x27c60x28008a4f899406b6c07bc94033367c77d80cFalse0.353515625data4.982702804137893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .data0x1e0000x62400x200001fa0794ef041654340f7c151d43a38fFalse0.184814453125data2.126919075500568IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .rsrc0x250000x1d3c80x1d400cca7a410f70eb0fbb4c0536c6b918dc7False0.43920272435897434data5.235838030261332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                    AFX_DIALOG_LAYOUT0x3d1300x2data5.0
                                                                                                                    KADORUN0x3c5100xbf7ASCII text, with very long lines (3063), with no line terminatorsTurkishTurkey0.6020241593209272
                                                                                                                    RT_CURSOR0x3d1380x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                                                                                    RT_CURSOR0x3d2680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                                                                                    RT_ICON0x25aa00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5868869936034116
                                                                                                                    RT_ICON0x269480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6606498194945848
                                                                                                                    RT_ICON0x271f00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.7194700460829493
                                                                                                                    RT_ICON0x278b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7622832369942196
                                                                                                                    RT_ICON0x27e200x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5440871369294605
                                                                                                                    RT_ICON0x2a3c80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.6597091932457786
                                                                                                                    RT_ICON0x2b4700x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.6782786885245902
                                                                                                                    RT_ICON0x2bdf80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8023049645390071
                                                                                                                    RT_ICON0x2c2d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.35154584221748403
                                                                                                                    RT_ICON0x2d1800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5464801444043321
                                                                                                                    RT_ICON0x2da280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6146313364055299
                                                                                                                    RT_ICON0x2e0f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.680635838150289
                                                                                                                    RT_ICON0x2e6580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.4262448132780083
                                                                                                                    RT_ICON0x30c000x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.5217213114754098
                                                                                                                    RT_ICON0x315880x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.5106382978723404
                                                                                                                    RT_ICON0x31a580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.4069829424307036
                                                                                                                    RT_ICON0x329000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.572202166064982
                                                                                                                    RT_ICON0x331a80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.625
                                                                                                                    RT_ICON0x338700x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.630057803468208
                                                                                                                    RT_ICON0x33dd80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.4643527204502814
                                                                                                                    RT_ICON0x34e800x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.4504098360655738
                                                                                                                    RT_ICON0x358080x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.49556737588652483
                                                                                                                    RT_ICON0x35cd80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.2798507462686567
                                                                                                                    RT_ICON0x36b800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.365072202166065
                                                                                                                    RT_ICON0x374280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.3784562211981567
                                                                                                                    RT_ICON0x37af00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.3764450867052023
                                                                                                                    RT_ICON0x380580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.25653526970954355
                                                                                                                    RT_ICON0x3a6000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.274624765478424
                                                                                                                    RT_ICON0x3b6a80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.28975409836065574
                                                                                                                    RT_ICON0x3c0300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.32092198581560283
                                                                                                                    RT_DIALOG0x3f9e80x84data0.7651515151515151
                                                                                                                    RT_STRING0x3fa700x362data0.4653579676674365
                                                                                                                    RT_STRING0x3fdd80x54adata0.44091580502215655
                                                                                                                    RT_STRING0x403280xa0data0.61875
                                                                                                                    RT_STRING0x403c80x8cadata0.41244444444444445
                                                                                                                    RT_STRING0x40c980x8ecdata0.4106830122591944
                                                                                                                    RT_STRING0x415880x8b0data0.4123201438848921
                                                                                                                    RT_STRING0x41e380x4fedata0.44209702660406885
                                                                                                                    RT_STRING0x423380x8edata0.6056338028169014
                                                                                                                    RT_ACCELERATOR0x3d1080x28data1.025
                                                                                                                    RT_GROUP_CURSOR0x3f8100x22data1.088235294117647
                                                                                                                    RT_GROUP_ICON0x319f00x68dataTurkishTurkey0.7019230769230769
                                                                                                                    RT_GROUP_ICON0x3c4980x76dataTurkishTurkey0.6779661016949152
                                                                                                                    RT_GROUP_ICON0x2c2600x76dataTurkishTurkey0.6610169491525424
                                                                                                                    RT_GROUP_ICON0x35c700x68dataTurkishTurkey0.7211538461538461
                                                                                                                    RT_VERSION0x3f8380x1acdata0.5864485981308412
                                                                                                                    DLLImport
                                                                                                                    KERNEL32.dllFillConsoleOutputCharacterA, SearchPathW, GetConsoleAliasesLengthW, GetNumaProcessorNode, DebugActiveProcessStop, GetDefaultCommConfigW, CallNamedPipeA, WriteConsoleOutputW, HeapAlloc, InterlockedDecrement, GlobalSize, GetEnvironmentStringsW, CreateDirectoryW, GetComputerNameW, GetSystemDefaultLCID, GetModuleHandleW, GetCommandLineA, GetSystemTimes, GlobalAlloc, LoadLibraryW, GetConsoleAliasExesLengthW, SetConsoleMode, GetFileAttributesW, GetBinaryTypeW, GetStartupInfoW, SetConsoleTitleA, GetShortPathNameA, InterlockedExchange, GetLastError, GetProcAddress, CopyFileA, SetStdHandle, EnterCriticalSection, BuildCommDCBW, GetNumaHighestNodeNumber, OpenWaitableTimerA, LoadLibraryA, UnhandledExceptionFilter, WritePrivateProfileStringA, QueryDosDeviceW, VirtualLock, FoldStringW, GetModuleFileNameA, FreeEnvironmentStringsW, SetCalendarInfoA, FindAtomW, CopyFileExA, SetFilePointer, WriteConsoleW, EncodePointer, DecodePointer, MultiByteToWideChar, ExitProcess, GetCommandLineW, HeapSetInformation, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, WriteFile, GetStdHandle, GetModuleFileNameW, HeapCreate, LeaveCriticalSection, Sleep, HeapSize, GetCPInfo, InterlockedIncrement, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapFree, RtlUnwind, HeapReAlloc, WideCharToMultiByte, LCMapStringW, GetStringTypeW, GetConsoleCP, GetConsoleMode, FlushFileBuffers, IsProcessorFeaturePresent, ReadFile, CloseHandle, CreateFileW
                                                                                                                    USER32.dllGetUserObjectInformationW
                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                    TurkishTurkey
                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Oct 13, 2024 07:31:41.171617985 CEST4991125192.168.2.652.101.11.0
                                                                                                                    Oct 13, 2024 07:31:42.267782927 CEST4991125192.168.2.652.101.11.0
                                                                                                                    Oct 13, 2024 07:31:44.267798901 CEST4991125192.168.2.652.101.11.0
                                                                                                                    Oct 13, 2024 07:31:44.535778046 CEST49931443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:31:44.535800934 CEST44349931185.228.234.180192.168.2.6
                                                                                                                    Oct 13, 2024 07:31:44.535862923 CEST49931443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:31:48.267802954 CEST4991125192.168.2.652.101.11.0
                                                                                                                    Oct 13, 2024 07:31:56.361764908 CEST4991125192.168.2.652.101.11.0
                                                                                                                    Oct 13, 2024 07:32:01.190821886 CEST4998725192.168.2.667.195.228.109
                                                                                                                    Oct 13, 2024 07:32:02.267898083 CEST4998725192.168.2.667.195.228.109
                                                                                                                    Oct 13, 2024 07:32:04.267837048 CEST4998725192.168.2.667.195.228.109
                                                                                                                    Oct 13, 2024 07:32:08.271430969 CEST4998725192.168.2.667.195.228.109
                                                                                                                    Oct 13, 2024 07:32:16.283514977 CEST4998725192.168.2.667.195.228.109
                                                                                                                    Oct 13, 2024 07:32:21.208293915 CEST4998925192.168.2.664.233.166.26
                                                                                                                    Oct 13, 2024 07:32:22.221020937 CEST4998925192.168.2.664.233.166.26
                                                                                                                    Oct 13, 2024 07:32:24.236604929 CEST4998925192.168.2.664.233.166.26
                                                                                                                    Oct 13, 2024 07:32:24.533627987 CEST49931443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:32:24.533830881 CEST44349931185.228.234.180192.168.2.6
                                                                                                                    Oct 13, 2024 07:32:24.533971071 CEST49931443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:32:24.644153118 CEST49991443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:32:24.644200087 CEST44349991185.228.234.180192.168.2.6
                                                                                                                    Oct 13, 2024 07:32:24.644314051 CEST49991443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:32:28.236608028 CEST4998925192.168.2.664.233.166.26
                                                                                                                    Oct 13, 2024 07:32:36.236696959 CEST4998925192.168.2.664.233.166.26
                                                                                                                    Oct 13, 2024 07:32:41.237548113 CEST4999325192.168.2.6217.69.139.150
                                                                                                                    Oct 13, 2024 07:32:42.266685963 CEST4999325192.168.2.6217.69.139.150
                                                                                                                    Oct 13, 2024 07:32:44.392898083 CEST4999325192.168.2.6217.69.139.150
                                                                                                                    Oct 13, 2024 07:32:48.408504009 CEST4999325192.168.2.6217.69.139.150
                                                                                                                    Oct 13, 2024 07:32:56.408580065 CEST4999325192.168.2.6217.69.139.150
                                                                                                                    Oct 13, 2024 07:33:04.658687115 CEST49991443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:33:04.658756971 CEST44349991185.228.234.180192.168.2.6
                                                                                                                    Oct 13, 2024 07:33:04.658819914 CEST49991443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:33:04.793772936 CEST49994443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:33:04.793836117 CEST44349994185.228.234.180192.168.2.6
                                                                                                                    Oct 13, 2024 07:33:04.793915987 CEST49994443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:33:44.783699989 CEST49994443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:33:44.783778906 CEST44349994185.228.234.180192.168.2.6
                                                                                                                    Oct 13, 2024 07:33:44.783850908 CEST49994443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:33:44.893660069 CEST49997443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:33:44.893768072 CEST44349997185.228.234.180192.168.2.6
                                                                                                                    Oct 13, 2024 07:33:44.893845081 CEST49997443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:34:09.040118933 CEST4999925192.168.2.652.101.40.26
                                                                                                                    Oct 13, 2024 07:34:10.049206972 CEST4999925192.168.2.652.101.40.26
                                                                                                                    Oct 13, 2024 07:34:12.080558062 CEST4999925192.168.2.652.101.40.26
                                                                                                                    Oct 13, 2024 07:34:16.080488920 CEST4999925192.168.2.652.101.40.26
                                                                                                                    Oct 13, 2024 07:34:24.080688000 CEST4999925192.168.2.652.101.40.26
                                                                                                                    Oct 13, 2024 07:34:24.893203020 CEST49997443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:34:24.893372059 CEST44349997185.228.234.180192.168.2.6
                                                                                                                    Oct 13, 2024 07:34:24.893501043 CEST49997443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:34:25.004162073 CEST50000443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:34:25.004242897 CEST44350000185.228.234.180192.168.2.6
                                                                                                                    Oct 13, 2024 07:34:25.004414082 CEST50000443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:34:29.058312893 CEST5000125192.168.2.667.195.204.74
                                                                                                                    Oct 13, 2024 07:34:30.064985991 CEST5000125192.168.2.667.195.204.74
                                                                                                                    Oct 13, 2024 07:34:32.064874887 CEST5000125192.168.2.667.195.204.74
                                                                                                                    Oct 13, 2024 07:34:36.065046072 CEST5000125192.168.2.667.195.204.74
                                                                                                                    Oct 13, 2024 07:34:44.080607891 CEST5000125192.168.2.667.195.204.74
                                                                                                                    Oct 13, 2024 07:34:49.073718071 CEST5000325192.168.2.6142.251.168.26
                                                                                                                    Oct 13, 2024 07:34:50.080715895 CEST5000325192.168.2.6142.251.168.26
                                                                                                                    Oct 13, 2024 07:34:52.096220016 CEST5000325192.168.2.6142.251.168.26
                                                                                                                    Oct 13, 2024 07:34:56.111861944 CEST5000325192.168.2.6142.251.168.26
                                                                                                                    Oct 13, 2024 07:35:04.111838102 CEST5000325192.168.2.6142.251.168.26
                                                                                                                    Oct 13, 2024 07:35:05.018198013 CEST50000443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:35:05.018282890 CEST44350000185.228.234.180192.168.2.6
                                                                                                                    Oct 13, 2024 07:35:05.018335104 CEST50000443192.168.2.6185.228.234.180
                                                                                                                    Oct 13, 2024 07:35:05.235737085 CEST50004443192.168.2.680.66.75.11
                                                                                                                    Oct 13, 2024 07:35:05.235788107 CEST4435000480.66.75.11192.168.2.6
                                                                                                                    Oct 13, 2024 07:35:05.235856056 CEST50004443192.168.2.680.66.75.11
                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Oct 13, 2024 07:31:41.096226931 CEST5414753192.168.2.61.1.1.1
                                                                                                                    Oct 13, 2024 07:31:41.149579048 CEST53541471.1.1.1192.168.2.6
                                                                                                                    Oct 13, 2024 07:31:44.034889936 CEST6376553192.168.2.61.1.1.1
                                                                                                                    Oct 13, 2024 07:31:44.512211084 CEST53637651.1.1.1192.168.2.6
                                                                                                                    Oct 13, 2024 07:32:01.174846888 CEST6464553192.168.2.61.1.1.1
                                                                                                                    Oct 13, 2024 07:32:01.181720972 CEST53646451.1.1.1192.168.2.6
                                                                                                                    Oct 13, 2024 07:32:01.182400942 CEST6057553192.168.2.61.1.1.1
                                                                                                                    Oct 13, 2024 07:32:01.190041065 CEST53605751.1.1.1192.168.2.6
                                                                                                                    Oct 13, 2024 07:32:21.190434933 CEST5788253192.168.2.61.1.1.1
                                                                                                                    Oct 13, 2024 07:32:21.198569059 CEST53578821.1.1.1192.168.2.6
                                                                                                                    Oct 13, 2024 07:32:21.199302912 CEST5050853192.168.2.61.1.1.1
                                                                                                                    Oct 13, 2024 07:32:21.207596064 CEST53505081.1.1.1192.168.2.6
                                                                                                                    Oct 13, 2024 07:32:41.221612930 CEST5873253192.168.2.61.1.1.1
                                                                                                                    Oct 13, 2024 07:32:41.229285955 CEST53587321.1.1.1192.168.2.6
                                                                                                                    Oct 13, 2024 07:32:41.229984045 CEST5519953192.168.2.61.1.1.1
                                                                                                                    Oct 13, 2024 07:32:41.237015009 CEST53551991.1.1.1192.168.2.6
                                                                                                                    Oct 13, 2024 07:34:09.032377005 CEST6202653192.168.2.61.1.1.1
                                                                                                                    Oct 13, 2024 07:34:09.039556026 CEST53620261.1.1.1192.168.2.6
                                                                                                                    Oct 13, 2024 07:34:29.050172091 CEST6094853192.168.2.61.1.1.1
                                                                                                                    Oct 13, 2024 07:34:29.057626009 CEST53609481.1.1.1192.168.2.6
                                                                                                                    Oct 13, 2024 07:34:49.065900087 CEST6141953192.168.2.61.1.1.1
                                                                                                                    Oct 13, 2024 07:34:49.073086977 CEST53614191.1.1.1192.168.2.6
                                                                                                                    Oct 13, 2024 07:35:05.128333092 CEST5336753192.168.2.61.1.1.1
                                                                                                                    Oct 13, 2024 07:35:05.235069990 CEST53533671.1.1.1192.168.2.6
                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                    Oct 13, 2024 07:31:41.096226931 CEST192.168.2.61.1.1.10x1b4bStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:31:44.034889936 CEST192.168.2.61.1.1.10x42c3Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:01.174846888 CEST192.168.2.61.1.1.10x13d0Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:01.182400942 CEST192.168.2.61.1.1.10xee2cStandard query (0)mta5.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:21.190434933 CEST192.168.2.61.1.1.10x55c6Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:21.199302912 CEST192.168.2.61.1.1.10xbb0dStandard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:41.221612930 CEST192.168.2.61.1.1.10xb646Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:41.229984045 CEST192.168.2.61.1.1.10x5f19Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:09.032377005 CEST192.168.2.61.1.1.10xf002Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:29.050172091 CEST192.168.2.61.1.1.10xc44bStandard query (0)mta5.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:49.065900087 CEST192.168.2.61.1.1.10x6634Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:35:05.128333092 CEST192.168.2.61.1.1.10x796dStandard query (0)jotunheim.nameA (IP address)IN (0x0001)false
                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                    Oct 13, 2024 07:31:41.149579048 CEST1.1.1.1192.168.2.60x1b4bNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:31:41.149579048 CEST1.1.1.1192.168.2.60x1b4bNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:31:41.149579048 CEST1.1.1.1192.168.2.60x1b4bNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:31:41.149579048 CEST1.1.1.1192.168.2.60x1b4bNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:31:44.512211084 CEST1.1.1.1192.168.2.60x42c3No error (0)vanaheim.cn185.228.234.180A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:01.181720972 CEST1.1.1.1192.168.2.60x13d0No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:01.181720972 CEST1.1.1.1192.168.2.60x13d0No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:01.181720972 CEST1.1.1.1192.168.2.60x13d0No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:01.190041065 CEST1.1.1.1192.168.2.60xee2cNo error (0)mta5.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:01.190041065 CEST1.1.1.1192.168.2.60xee2cNo error (0)mta5.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:01.190041065 CEST1.1.1.1192.168.2.60xee2cNo error (0)mta5.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:01.190041065 CEST1.1.1.1192.168.2.60xee2cNo error (0)mta5.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:01.190041065 CEST1.1.1.1192.168.2.60xee2cNo error (0)mta5.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:01.190041065 CEST1.1.1.1192.168.2.60xee2cNo error (0)mta5.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:01.190041065 CEST1.1.1.1192.168.2.60xee2cNo error (0)mta5.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:01.190041065 CEST1.1.1.1192.168.2.60xee2cNo error (0)mta5.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:21.198569059 CEST1.1.1.1192.168.2.60x55c6No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:21.207596064 CEST1.1.1.1192.168.2.60xbb0dNo error (0)smtp.google.com64.233.166.26A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:21.207596064 CEST1.1.1.1192.168.2.60xbb0dNo error (0)smtp.google.com74.125.206.26A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:21.207596064 CEST1.1.1.1192.168.2.60xbb0dNo error (0)smtp.google.com64.233.167.26A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:21.207596064 CEST1.1.1.1192.168.2.60xbb0dNo error (0)smtp.google.com64.233.167.27A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:21.207596064 CEST1.1.1.1192.168.2.60xbb0dNo error (0)smtp.google.com74.125.206.27A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:41.229285955 CEST1.1.1.1192.168.2.60xb646No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:41.237015009 CEST1.1.1.1192.168.2.60x5f19No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:32:41.237015009 CEST1.1.1.1192.168.2.60x5f19No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:09.039556026 CEST1.1.1.1192.168.2.60xf002No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:09.039556026 CEST1.1.1.1192.168.2.60xf002No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:09.039556026 CEST1.1.1.1192.168.2.60xf002No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:09.039556026 CEST1.1.1.1192.168.2.60xf002No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:29.057626009 CEST1.1.1.1192.168.2.60xc44bNo error (0)mta5.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:29.057626009 CEST1.1.1.1192.168.2.60xc44bNo error (0)mta5.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:29.057626009 CEST1.1.1.1192.168.2.60xc44bNo error (0)mta5.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:29.057626009 CEST1.1.1.1192.168.2.60xc44bNo error (0)mta5.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:29.057626009 CEST1.1.1.1192.168.2.60xc44bNo error (0)mta5.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:29.057626009 CEST1.1.1.1192.168.2.60xc44bNo error (0)mta5.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:29.057626009 CEST1.1.1.1192.168.2.60xc44bNo error (0)mta5.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:29.057626009 CEST1.1.1.1192.168.2.60xc44bNo error (0)mta5.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:49.073086977 CEST1.1.1.1192.168.2.60x6634No error (0)smtp.google.com142.251.168.26A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:49.073086977 CEST1.1.1.1192.168.2.60x6634No error (0)smtp.google.com142.251.168.27A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:49.073086977 CEST1.1.1.1192.168.2.60x6634No error (0)smtp.google.com142.251.173.27A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:49.073086977 CEST1.1.1.1192.168.2.60x6634No error (0)smtp.google.com64.233.184.26A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:34:49.073086977 CEST1.1.1.1192.168.2.60x6634No error (0)smtp.google.com64.233.184.27A (IP address)IN (0x0001)false
                                                                                                                    Oct 13, 2024 07:35:05.235069990 CEST1.1.1.1192.168.2.60x796dNo error (0)jotunheim.name80.66.75.11A (IP address)IN (0x0001)false

                                                                                                                    Click to jump to process

                                                                                                                    Click to jump to process

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Click to jump to process

                                                                                                                    Target ID:0
                                                                                                                    Start time:01:31:01
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Users\user\Desktop\uMlLpvdLRU.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\uMlLpvdLRU.exe"
                                                                                                                    Imagebase:0x400000
                                                                                                                    File size:243'712 bytes
                                                                                                                    MD5 hash:7EA98BD7F6A69B385310F5EAA86B6828
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4595280010.00000000005B9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.2212033064.00000000020A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.2212033064.00000000020A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.2212033064.00000000020A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                    Reputation:low
                                                                                                                    Has exited:false

                                                                                                                    Target ID:2
                                                                                                                    Start time:01:31:07
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yuzqifwu\
                                                                                                                    Imagebase:0x1c0000
                                                                                                                    File size:236'544 bytes
                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:3
                                                                                                                    Start time:01:31:07
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:4
                                                                                                                    Start time:01:31:07
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bndqedvz.exe" C:\Windows\SysWOW64\yuzqifwu\
                                                                                                                    Imagebase:0x1c0000
                                                                                                                    File size:236'544 bytes
                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:5
                                                                                                                    Start time:01:31:07
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:6
                                                                                                                    Start time:01:31:08
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\System32\sc.exe" create yuzqifwu binPath= "C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d\"C:\Users\user\Desktop\uMlLpvdLRU.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                                                    Imagebase:0x8a0000
                                                                                                                    File size:61'440 bytes
                                                                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:true

                                                                                                                    Target ID:7
                                                                                                                    Start time:01:31:08
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:8
                                                                                                                    Start time:01:31:09
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\System32\sc.exe" description yuzqifwu "wifi internet conection"
                                                                                                                    Imagebase:0x8a0000
                                                                                                                    File size:61'440 bytes
                                                                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:true

                                                                                                                    Target ID:9
                                                                                                                    Start time:01:31:09
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:10
                                                                                                                    Start time:01:31:09
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\System32\sc.exe" start yuzqifwu
                                                                                                                    Imagebase:0x8a0000
                                                                                                                    File size:61'440 bytes
                                                                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:true

                                                                                                                    Target ID:11
                                                                                                                    Start time:01:31:09
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:12
                                                                                                                    Start time:01:31:09
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe /d"C:\Users\user\Desktop\uMlLpvdLRU.exe"
                                                                                                                    Imagebase:0x400000
                                                                                                                    File size:10'786'816 bytes
                                                                                                                    MD5 hash:491E03099055090A2BCF55796B5D0830
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2433806648.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2433806648.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2433806648.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2737258671.00000000006E3000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2738933008.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2738933008.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2738933008.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    Target ID:13
                                                                                                                    Start time:01:31:10
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                    Imagebase:0xa60000
                                                                                                                    File size:82'432 bytes
                                                                                                                    MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Target ID:14
                                                                                                                    Start time:01:31:10
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:true

                                                                                                                    Target ID:18
                                                                                                                    Start time:01:31:29
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:svchost.exe
                                                                                                                    Imagebase:0x650000
                                                                                                                    File size:46'504 bytes
                                                                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                    Has exited:false

                                                                                                                    Target ID:20
                                                                                                                    Start time:01:31:46
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                    Imagebase:0x7ff7403e0000
                                                                                                                    File size:55'320 bytes
                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:false

                                                                                                                    Target ID:21
                                                                                                                    Start time:01:33:10
                                                                                                                    Start date:13/10/2024
                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                                    Imagebase:0x7ff7403e0000
                                                                                                                    File size:55'320 bytes
                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Has exited:false

                                                                                                                    Reset < >

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:4%
                                                                                                                      Dynamic/Decrypted Code Coverage:2%
                                                                                                                      Signature Coverage:26.2%
                                                                                                                      Total number of Nodes:1608
                                                                                                                      Total number of Limit Nodes:21
                                                                                                                      execution_graph 16779 2080005 16784 208092b GetPEB 16779->16784 16781 2080030 16786 208003c 16781->16786 16785 2080972 16784->16785 16785->16781 16787 2080049 16786->16787 16801 2080e0f SetErrorMode SetErrorMode 16787->16801 16792 2080265 16793 20802ce VirtualProtect 16792->16793 16795 208030b 16793->16795 16794 2080439 VirtualFree 16799 20805f4 LoadLibraryA 16794->16799 16800 20804be 16794->16800 16795->16794 16796 20804e3 LoadLibraryA 16796->16800 16798 20808c7 16799->16798 16800->16796 16800->16799 16802 2080223 16801->16802 16803 2080d90 16802->16803 16804 2080dad 16803->16804 16805 2080dbb GetPEB 16804->16805 16806 2080238 VirtualAlloc 16804->16806 16805->16806 16806->16792 15016 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15135 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15016->15135 15018 409a95 15019 409aa3 GetModuleHandleA GetModuleFileNameA 15018->15019 15096 40a3c7 15018->15096 15031 409ac4 15019->15031 15020 40a41c CreateThread WSAStartup 15304 40e52e 15020->15304 16183 40405e CreateEventA 15020->16183 15021 409afd GetCommandLineA 15032 409b22 15021->15032 15022 40a406 DeleteFileA 15024 40a40d 15022->15024 15022->15096 15024->15020 15025 40a445 15323 40eaaf 15025->15323 15027 40a3ed GetLastError 15027->15024 15029 40a3f8 Sleep 15027->15029 15028 40a44d 15327 401d96 15028->15327 15029->15022 15031->15021 15035 409c0c 15032->15035 15042 409b47 15032->15042 15033 40a457 15375 4080c9 15033->15375 15136 4096aa 15035->15136 15046 409b96 lstrlenA 15042->15046 15049 409b58 15042->15049 15043 40a1d2 15050 40a1e3 GetCommandLineA 15043->15050 15044 409c39 15047 40a167 GetModuleHandleA GetModuleFileNameA 15044->15047 15142 404280 CreateEventA 15044->15142 15046->15049 15048 409c05 ExitProcess 15047->15048 15052 40a189 15047->15052 15049->15048 15056 40675c 21 API calls 15049->15056 15076 40a205 15050->15076 15052->15048 15058 40a1b2 GetDriveTypeA 15052->15058 15059 409be3 15056->15059 15058->15048 15061 40a1c5 15058->15061 15059->15048 15241 406a60 CreateFileA 15059->15241 15285 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15061->15285 15067 40a491 15068 40a49f GetTickCount 15067->15068 15070 40a4be Sleep 15067->15070 15075 40a4b7 GetTickCount 15067->15075 15421 40c913 15067->15421 15068->15067 15068->15070 15070->15067 15072 409ca0 GetTempPathA 15073 409e3e 15072->15073 15074 409cba 15072->15074 15079 409e6b GetEnvironmentVariableA 15073->15079 15083 409e04 15073->15083 15197 4099d2 lstrcpyA 15074->15197 15075->15070 15080 40a285 lstrlenA 15076->15080 15092 40a239 15076->15092 15079->15083 15084 409e7d 15079->15084 15080->15092 15280 40ec2e 15083->15280 15085 4099d2 16 API calls 15084->15085 15086 409e9d 15085->15086 15086->15083 15091 409eb0 lstrcpyA lstrlenA 15086->15091 15089 409d5f 15260 406cc9 15089->15260 15090 40a3c2 15297 4098f2 15090->15297 15094 409ef4 15091->15094 15293 406ec3 15092->15293 15098 406dc2 6 API calls 15094->15098 15102 409f03 15094->15102 15096->15020 15096->15022 15096->15024 15096->15027 15097 40a35f 15097->15090 15097->15097 15105 40a37b 15097->15105 15098->15102 15099 40a39d StartServiceCtrlDispatcherA 15099->15090 15101 409cf6 15204 409326 15101->15204 15103 409f32 RegOpenKeyExA 15102->15103 15106 409f0e 15102->15106 15104 409f48 RegSetValueExA RegCloseKey 15103->15104 15109 409f70 15103->15109 15104->15109 15105->15099 15106->15102 15115 409f9d GetModuleHandleA GetModuleFileNameA 15109->15115 15110 409e0c DeleteFileA 15110->15073 15111 409dde GetFileAttributesExA 15111->15110 15112 409df7 15111->15112 15112->15083 15114 409dff 15112->15114 15270 4096ff 15114->15270 15117 409fc2 15115->15117 15118 40a093 15115->15118 15117->15118 15124 409ff1 GetDriveTypeA 15117->15124 15119 40a103 CreateProcessA 15118->15119 15122 40a0a4 wsprintfA 15118->15122 15120 40a13a 15119->15120 15121 40a12a DeleteFileA 15119->15121 15120->15083 15127 4096ff 3 API calls 15120->15127 15121->15120 15276 402544 15122->15276 15124->15118 15126 40a00d 15124->15126 15129 40a02d lstrcatA 15126->15129 15127->15083 15131 40a046 15129->15131 15132 40a052 lstrcatA 15131->15132 15133 40a064 lstrcatA 15131->15133 15132->15133 15133->15118 15134 40a081 lstrcatA 15133->15134 15134->15118 15135->15018 15137 4096b9 15136->15137 15524 4073ff 15137->15524 15139 4096e2 15140 4096f7 15139->15140 15544 40704c 15139->15544 15140->15043 15140->15044 15143 4042a5 15142->15143 15144 40429d 15142->15144 15569 403ecd 15143->15569 15144->15047 15169 40675c 15144->15169 15146 4042b0 15573 404000 15146->15573 15149 4043c1 CloseHandle 15149->15144 15150 4042ce 15579 403f18 WriteFile 15150->15579 15155 4043ba CloseHandle 15155->15149 15156 404318 15157 403f18 4 API calls 15156->15157 15158 404331 15157->15158 15159 403f18 4 API calls 15158->15159 15160 40434a 15159->15160 15587 40ebcc GetProcessHeap RtlAllocateHeap 15160->15587 15163 403f18 4 API calls 15164 404389 15163->15164 15165 40ec2e codecvt 4 API calls 15164->15165 15166 40438f 15165->15166 15167 403f8c 4 API calls 15166->15167 15168 40439f CloseHandle CloseHandle 15167->15168 15168->15144 15170 406784 CreateFileA 15169->15170 15171 40677a SetFileAttributesA 15169->15171 15172 4067a4 CreateFileA 15170->15172 15173 4067b5 15170->15173 15171->15170 15172->15173 15174 4067c5 15173->15174 15175 4067ba SetFileAttributesA 15173->15175 15176 406977 15174->15176 15177 4067cf GetFileSize 15174->15177 15175->15174 15176->15047 15176->15072 15176->15073 15178 4067e5 15177->15178 15196 406965 15177->15196 15180 4067ed ReadFile 15178->15180 15178->15196 15179 40696e CloseHandle 15179->15176 15181 406811 SetFilePointer 15180->15181 15180->15196 15182 40682a ReadFile 15181->15182 15181->15196 15183 406848 SetFilePointer 15182->15183 15182->15196 15184 406867 15183->15184 15183->15196 15185 4068d5 15184->15185 15186 406878 ReadFile 15184->15186 15185->15179 15188 40ebcc 4 API calls 15185->15188 15187 4068d0 15186->15187 15189 406891 15186->15189 15187->15185 15190 4068f8 15188->15190 15189->15186 15189->15187 15191 406900 SetFilePointer 15190->15191 15190->15196 15192 40695a 15191->15192 15193 40690d ReadFile 15191->15193 15194 40ec2e codecvt 4 API calls 15192->15194 15193->15192 15195 406922 15193->15195 15194->15196 15195->15179 15196->15179 15198 4099eb 15197->15198 15199 409a2f lstrcatA 15198->15199 15200 40ee2a 15199->15200 15201 409a4b lstrcatA 15200->15201 15202 406a60 13 API calls 15201->15202 15203 409a60 15202->15203 15203->15073 15203->15101 15254 406dc2 15203->15254 15593 401910 15204->15593 15207 40934a GetModuleHandleA GetModuleFileNameA 15209 40937f 15207->15209 15210 4093a4 15209->15210 15211 4093d9 15209->15211 15212 4093c3 wsprintfA 15210->15212 15213 409401 wsprintfA 15211->15213 15215 409415 15212->15215 15213->15215 15214 4094a0 15595 406edd 15214->15595 15215->15214 15218 406cc9 5 API calls 15215->15218 15217 4094ac 15219 40962f 15217->15219 15220 4094e8 RegOpenKeyExA 15217->15220 15223 409439 15218->15223 15225 409646 15219->15225 15623 401820 15219->15623 15221 409502 15220->15221 15222 4094fb 15220->15222 15227 40951f RegQueryValueExA 15221->15227 15222->15219 15229 40958a 15222->15229 15608 40ef1e lstrlenA 15223->15608 15235 4095d6 15225->15235 15603 4091eb 15225->15603 15230 409530 15227->15230 15231 409539 15227->15231 15229->15225 15233 409593 15229->15233 15234 40956e RegCloseKey 15230->15234 15236 409556 RegQueryValueExA 15231->15236 15232 409462 15237 40947e wsprintfA 15232->15237 15233->15235 15610 40f0e4 15233->15610 15234->15222 15235->15110 15235->15111 15236->15230 15236->15234 15237->15214 15239 4095bb 15239->15235 15617 4018e0 15239->15617 15242 406b8c GetLastError 15241->15242 15243 406a8f GetDiskFreeSpaceA 15241->15243 15252 406b86 15242->15252 15244 406ac5 15243->15244 15253 406ad7 15243->15253 15672 40eb0e 15244->15672 15248 406b56 CloseHandle 15251 406b65 GetLastError CloseHandle 15248->15251 15248->15252 15249 406b36 GetLastError CloseHandle 15250 406b7f DeleteFileA 15249->15250 15250->15252 15251->15250 15252->15048 15666 406987 15253->15666 15255 406dd7 15254->15255 15259 406e24 15254->15259 15256 406cc9 5 API calls 15255->15256 15257 406ddc 15256->15257 15257->15257 15258 406e02 GetVolumeInformationA 15257->15258 15257->15259 15258->15259 15259->15089 15261 406cdc GetModuleHandleA GetProcAddress 15260->15261 15262 406dbe lstrcpyA lstrcatA lstrcatA 15260->15262 15263 406d12 GetSystemDirectoryA 15261->15263 15264 406cfd 15261->15264 15262->15101 15265 406d27 GetWindowsDirectoryA 15263->15265 15266 406d1e 15263->15266 15264->15263 15267 406d8b 15264->15267 15269 406d42 15265->15269 15266->15265 15266->15267 15267->15262 15268 40ef1e lstrlenA 15268->15267 15269->15268 15271 402544 15270->15271 15272 40972d RegOpenKeyExA 15271->15272 15273 409765 15272->15273 15274 409740 15272->15274 15273->15083 15275 40974f RegDeleteValueA RegCloseKey 15274->15275 15275->15273 15277 402554 lstrcatA 15276->15277 15278 40ee2a 15277->15278 15279 40a0ec lstrcatA 15278->15279 15279->15119 15281 40ec37 15280->15281 15282 40a15d 15280->15282 15680 40eba0 15281->15680 15282->15047 15282->15048 15286 402544 15285->15286 15287 40919e wsprintfA 15286->15287 15288 4091bb 15287->15288 15683 409064 GetTempPathA 15288->15683 15291 4091d5 ShellExecuteA 15292 4091e7 15291->15292 15292->15048 15294 406ed5 15293->15294 15295 406ecc 15293->15295 15294->15097 15296 406e36 2 API calls 15295->15296 15296->15294 15298 4098f6 15297->15298 15299 404280 30 API calls 15298->15299 15300 409904 Sleep 15298->15300 15301 409915 15298->15301 15299->15298 15300->15298 15300->15301 15303 409947 15301->15303 15690 40977c 15301->15690 15303->15096 15712 40dd05 GetTickCount 15304->15712 15306 40e538 15719 40dbcf 15306->15719 15308 40e544 15309 40e555 GetFileSize 15308->15309 15313 40e5b8 15308->15313 15310 40e5b1 CloseHandle 15309->15310 15311 40e566 15309->15311 15310->15313 15729 40db2e 15311->15729 15738 40e3ca RegOpenKeyExA 15313->15738 15315 40e576 ReadFile 15315->15310 15317 40e58d 15315->15317 15733 40e332 15317->15733 15320 40e5f2 15321 40e3ca 19 API calls 15320->15321 15322 40e629 15320->15322 15321->15322 15322->15025 15324 40eaba 15323->15324 15325 40eabe 15323->15325 15324->15028 15325->15324 15326 40dd05 6 API calls 15325->15326 15326->15324 15328 40ee2a 15327->15328 15329 401db4 GetVersionExA 15328->15329 15330 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15329->15330 15332 401e24 15330->15332 15333 401e16 GetCurrentProcess 15330->15333 15791 40e819 15332->15791 15333->15332 15335 401e3d 15336 40e819 11 API calls 15335->15336 15337 401e4e 15336->15337 15345 401e77 15337->15345 15798 40df70 15337->15798 15340 401e6c 15343 40df70 12 API calls 15340->15343 15342 40e819 11 API calls 15344 401e93 15342->15344 15343->15345 15811 40199c inet_addr LoadLibraryA 15344->15811 15807 40ea84 15345->15807 15348 40e819 11 API calls 15349 401eb9 15348->15349 15350 401ed8 15349->15350 15351 40f04e 4 API calls 15349->15351 15352 40e819 11 API calls 15350->15352 15354 401ec9 15351->15354 15353 401eee 15352->15353 15355 401f0a 15353->15355 15824 401b71 15353->15824 15356 40ea84 30 API calls 15354->15356 15358 40e819 11 API calls 15355->15358 15356->15350 15360 401f23 15358->15360 15359 401efd 15361 40ea84 30 API calls 15359->15361 15362 401f3f 15360->15362 15828 401bdf 15360->15828 15361->15355 15364 40e819 11 API calls 15362->15364 15365 401f5e 15364->15365 15367 401f77 15365->15367 15369 40ea84 30 API calls 15365->15369 15835 4030b5 15367->15835 15368 40ea84 30 API calls 15368->15362 15369->15367 15373 406ec3 2 API calls 15374 401f8e GetTickCount 15373->15374 15374->15033 15376 406ec3 2 API calls 15375->15376 15377 4080eb 15376->15377 15378 4080f9 15377->15378 15379 4080ef 15377->15379 15381 40704c 16 API calls 15378->15381 15883 407ee6 15379->15883 15383 408110 15381->15383 15382 408269 CreateThread 15400 405e6c 15382->15400 16213 40877e 15382->16213 15385 408156 RegOpenKeyExA 15383->15385 15386 4080f4 15383->15386 15384 40675c 21 API calls 15390 408244 15384->15390 15385->15386 15387 40816d RegQueryValueExA 15385->15387 15386->15382 15386->15384 15388 4081f7 15387->15388 15389 40818d 15387->15389 15391 40820d RegCloseKey 15388->15391 15393 40ec2e codecvt 4 API calls 15388->15393 15389->15388 15394 40ebcc 4 API calls 15389->15394 15390->15382 15392 40ec2e codecvt 4 API calls 15390->15392 15391->15386 15392->15382 15399 4081dd 15393->15399 15395 4081a0 15394->15395 15395->15391 15396 4081aa RegQueryValueExA 15395->15396 15396->15388 15397 4081c4 15396->15397 15398 40ebcc 4 API calls 15397->15398 15398->15399 15399->15391 15951 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15400->15951 15402 405e71 15952 40e654 15402->15952 15404 405ec1 15405 403132 15404->15405 15406 40df70 12 API calls 15405->15406 15407 40313b 15406->15407 15408 40c125 15407->15408 15963 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15408->15963 15410 40c12d 15411 40e654 13 API calls 15410->15411 15412 40c2bd 15411->15412 15413 40e654 13 API calls 15412->15413 15414 40c2c9 15413->15414 15415 40e654 13 API calls 15414->15415 15416 40a47a 15415->15416 15417 408db1 15416->15417 15418 408dbc 15417->15418 15419 40e654 13 API calls 15418->15419 15420 408dec Sleep 15419->15420 15420->15067 15422 40c92f 15421->15422 15423 40c93c 15422->15423 15964 40c517 15422->15964 15425 40ca2b 15423->15425 15426 40e819 11 API calls 15423->15426 15425->15067 15427 40c96a 15426->15427 15428 40e819 11 API calls 15427->15428 15429 40c97d 15428->15429 15430 40e819 11 API calls 15429->15430 15431 40c990 15430->15431 15432 40c9aa 15431->15432 15433 40ebcc 4 API calls 15431->15433 15432->15425 15981 402684 15432->15981 15433->15432 15438 40ca26 15988 40c8aa 15438->15988 15441 40ca44 15442 40ca4b closesocket 15441->15442 15443 40ca83 15441->15443 15442->15438 15444 40ea84 30 API calls 15443->15444 15445 40caac 15444->15445 15446 40f04e 4 API calls 15445->15446 15447 40cab2 15446->15447 15448 40ea84 30 API calls 15447->15448 15449 40caca 15448->15449 15450 40ea84 30 API calls 15449->15450 15451 40cad9 15450->15451 15996 40c65c 15451->15996 15454 40cb60 closesocket 15454->15425 15456 40dad2 closesocket 15457 40e318 23 API calls 15456->15457 15457->15425 15458 40df4c 20 API calls 15483 40cb70 15458->15483 15463 40e654 13 API calls 15463->15483 15466 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15466->15483 15470 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15470->15483 15471 40ea84 30 API calls 15471->15483 15472 40d569 closesocket Sleep 16043 40e318 15472->16043 15473 40d815 wsprintfA 15473->15483 15474 40cc1c GetTempPathA 15474->15483 15475 40c517 23 API calls 15475->15483 15477 40e8a1 30 API calls 15477->15483 15478 40d582 ExitProcess 15479 40cfe3 GetSystemDirectoryA 15479->15483 15480 40cfad GetEnvironmentVariableA 15480->15483 15481 40675c 21 API calls 15481->15483 15482 40d027 GetSystemDirectoryA 15482->15483 15483->15456 15483->15458 15483->15463 15483->15466 15483->15470 15483->15471 15483->15472 15483->15473 15483->15474 15483->15475 15483->15477 15483->15479 15483->15480 15483->15481 15483->15482 15484 40d105 lstrcatA 15483->15484 15485 40ef1e lstrlenA 15483->15485 15486 40cc9f CreateFileA 15483->15486 15487 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15483->15487 15489 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15483->15489 15490 40d15b CreateFileA 15483->15490 15495 40d149 SetFileAttributesA 15483->15495 15496 40d36e GetEnvironmentVariableA 15483->15496 15497 40d1bf SetFileAttributesA 15483->15497 15499 40d22d GetEnvironmentVariableA 15483->15499 15500 407ead 6 API calls 15483->15500 15501 40d3af lstrcatA 15483->15501 15503 40d3f2 CreateFileA 15483->15503 15505 407fcf 64 API calls 15483->15505 15511 40d3e0 SetFileAttributesA 15483->15511 15512 40d26e lstrcatA 15483->15512 15514 40d4b1 CreateProcessA 15483->15514 15516 40d2b1 CreateFileA 15483->15516 15517 407ee6 64 API calls 15483->15517 15518 40d452 SetFileAttributesA 15483->15518 15521 40d29f SetFileAttributesA 15483->15521 15523 40d31d SetFileAttributesA 15483->15523 16004 40c75d 15483->16004 16016 407e2f 15483->16016 16038 407ead 15483->16038 16048 4031d0 15483->16048 16065 403c09 15483->16065 16075 403a00 15483->16075 16079 40e7b4 15483->16079 16082 40c06c 15483->16082 16088 406f5f GetUserNameA 15483->16088 16099 40e854 15483->16099 16109 407dd6 15483->16109 15484->15483 15485->15483 15486->15483 15488 40ccc6 WriteFile 15486->15488 15487->15483 15491 40cdcc CloseHandle 15488->15491 15492 40cced CloseHandle 15488->15492 15489->15483 15490->15483 15493 40d182 WriteFile CloseHandle 15490->15493 15491->15483 15498 40cd2f 15492->15498 15493->15483 15494 40cd16 wsprintfA 15494->15498 15495->15490 15496->15483 15497->15483 15498->15494 16025 407fcf 15498->16025 15499->15483 15500->15483 15501->15483 15501->15503 15503->15483 15506 40d415 WriteFile CloseHandle 15503->15506 15505->15483 15506->15483 15507 40cd81 WaitForSingleObject CloseHandle CloseHandle 15509 40f04e 4 API calls 15507->15509 15508 40cda5 15510 407ee6 64 API calls 15508->15510 15509->15508 15513 40cdbd DeleteFileA 15510->15513 15511->15503 15512->15483 15512->15516 15513->15483 15514->15483 15515 40d4e8 CloseHandle CloseHandle 15514->15515 15515->15483 15516->15483 15519 40d2d8 WriteFile CloseHandle 15516->15519 15517->15483 15518->15483 15519->15483 15521->15516 15523->15483 15525 40741b 15524->15525 15526 406dc2 6 API calls 15525->15526 15527 40743f 15526->15527 15528 407469 RegOpenKeyExA 15527->15528 15530 4077f9 15528->15530 15539 407487 ___ascii_stricmp 15528->15539 15529 407703 RegEnumKeyA 15531 407714 RegCloseKey 15529->15531 15529->15539 15530->15139 15531->15530 15532 4074d2 RegOpenKeyExA 15532->15539 15533 40772c 15535 407742 RegCloseKey 15533->15535 15536 40774b 15533->15536 15534 407521 RegQueryValueExA 15534->15539 15535->15536 15538 4077ec RegCloseKey 15536->15538 15537 4076e4 RegCloseKey 15537->15539 15538->15530 15539->15529 15539->15532 15539->15533 15539->15534 15539->15537 15541 40f1a5 lstrlenA 15539->15541 15542 40777e GetFileAttributesExA 15539->15542 15543 407769 15539->15543 15540 4077e3 RegCloseKey 15540->15538 15541->15539 15542->15543 15543->15540 15545 407073 15544->15545 15546 4070b9 RegOpenKeyExA 15545->15546 15547 4070d0 15546->15547 15561 4071b8 15546->15561 15548 406dc2 6 API calls 15547->15548 15551 4070d5 15548->15551 15549 40719b RegEnumValueA 15550 4071af RegCloseKey 15549->15550 15549->15551 15550->15561 15551->15549 15553 4071d0 15551->15553 15567 40f1a5 lstrlenA 15551->15567 15554 407205 RegCloseKey 15553->15554 15555 407227 15553->15555 15554->15561 15556 4072b8 ___ascii_stricmp 15555->15556 15557 40728e RegCloseKey 15555->15557 15558 4072cd RegCloseKey 15556->15558 15559 4072dd 15556->15559 15557->15561 15558->15561 15560 407311 RegCloseKey 15559->15560 15563 407335 15559->15563 15560->15561 15561->15140 15562 4073d5 RegCloseKey 15564 4073e4 15562->15564 15563->15562 15565 40737e GetFileAttributesExA 15563->15565 15566 407397 15563->15566 15565->15566 15566->15562 15568 40f1c3 15567->15568 15568->15551 15570 403ee2 15569->15570 15571 403edc 15569->15571 15570->15146 15572 406dc2 6 API calls 15571->15572 15572->15570 15574 40400b CreateFileA 15573->15574 15575 40402c GetLastError 15574->15575 15576 404052 15574->15576 15575->15576 15577 404037 15575->15577 15576->15144 15576->15149 15576->15150 15577->15576 15578 404041 Sleep 15577->15578 15578->15574 15578->15576 15580 403f4e GetLastError 15579->15580 15582 403f7c 15579->15582 15581 403f5b WaitForSingleObject GetOverlappedResult 15580->15581 15580->15582 15581->15582 15583 403f8c ReadFile 15582->15583 15584 403ff0 15583->15584 15585 403fc2 GetLastError 15583->15585 15584->15155 15584->15156 15585->15584 15586 403fcf WaitForSingleObject GetOverlappedResult 15585->15586 15586->15584 15590 40eb74 15587->15590 15591 40eb7b GetProcessHeap HeapSize 15590->15591 15592 404350 15590->15592 15591->15592 15592->15163 15594 401924 GetVersionExA 15593->15594 15594->15207 15596 406eef AllocateAndInitializeSid 15595->15596 15602 406f55 15595->15602 15597 406f1c CheckTokenMembership 15596->15597 15600 406f44 15596->15600 15598 406f3b FreeSid 15597->15598 15599 406f2e 15597->15599 15598->15600 15599->15598 15600->15602 15629 406e36 GetUserNameW 15600->15629 15602->15217 15605 40920e 15603->15605 15607 409308 15603->15607 15604 4092f1 Sleep 15604->15605 15605->15604 15606 4092bf ShellExecuteA 15605->15606 15605->15607 15606->15605 15606->15607 15607->15235 15609 40ef32 15608->15609 15609->15232 15611 40f0f1 15610->15611 15612 40f0ed 15610->15612 15613 40f119 15611->15613 15614 40f0fa lstrlenA SysAllocStringByteLen 15611->15614 15612->15239 15616 40f11c MultiByteToWideChar 15613->15616 15615 40f117 15614->15615 15614->15616 15615->15239 15616->15615 15618 401820 17 API calls 15617->15618 15619 4018f2 15618->15619 15620 4018f9 15619->15620 15632 401280 15619->15632 15620->15235 15622 401908 15622->15235 15645 401000 15623->15645 15625 401839 15626 401851 GetCurrentProcess 15625->15626 15627 40183d 15625->15627 15628 401864 15626->15628 15627->15225 15628->15225 15630 406e97 15629->15630 15631 406e5f LookupAccountNameW 15629->15631 15630->15602 15631->15630 15635 4012e1 ShellExecuteExW 15632->15635 15634 4016f9 GetLastError 15636 401699 15634->15636 15635->15634 15638 4013a8 15635->15638 15636->15622 15637 401570 lstrlenW 15637->15638 15638->15636 15638->15637 15638->15638 15639 4015be GetStartupInfoW 15638->15639 15640 4015ff CreateProcessWithLogonW 15638->15640 15644 401668 CloseHandle 15638->15644 15639->15638 15641 4016bf GetLastError 15640->15641 15642 40163f WaitForSingleObject 15640->15642 15641->15636 15642->15638 15643 401659 CloseHandle 15642->15643 15643->15638 15644->15638 15646 40100d LoadLibraryA 15645->15646 15660 401023 15645->15660 15647 401021 15646->15647 15646->15660 15647->15625 15648 4010b5 GetProcAddress 15649 4010d1 GetProcAddress 15648->15649 15650 40127b 15648->15650 15649->15650 15651 4010f0 GetProcAddress 15649->15651 15650->15625 15651->15650 15652 401110 GetProcAddress 15651->15652 15652->15650 15653 401130 GetProcAddress 15652->15653 15653->15650 15654 40114f GetProcAddress 15653->15654 15654->15650 15655 40116f GetProcAddress 15654->15655 15655->15650 15656 40118f GetProcAddress 15655->15656 15656->15650 15657 4011ae GetProcAddress 15656->15657 15657->15650 15658 4011ce GetProcAddress 15657->15658 15658->15650 15659 4011ee GetProcAddress 15658->15659 15659->15650 15661 401209 GetProcAddress 15659->15661 15660->15648 15665 4010ae 15660->15665 15661->15650 15662 401225 GetProcAddress 15661->15662 15662->15650 15663 401241 GetProcAddress 15662->15663 15663->15650 15664 40125c GetProcAddress 15663->15664 15664->15650 15665->15625 15668 4069b9 WriteFile 15666->15668 15669 406a3c 15668->15669 15670 4069ff 15668->15670 15669->15248 15669->15249 15670->15669 15671 406a10 WriteFile 15670->15671 15671->15669 15671->15670 15673 40eb17 15672->15673 15674 40eb21 15672->15674 15676 40eae4 15673->15676 15674->15253 15677 40eb02 GetProcAddress 15676->15677 15678 40eaed LoadLibraryA 15676->15678 15677->15674 15678->15677 15679 40eb01 15678->15679 15679->15674 15681 40eba7 GetProcessHeap HeapSize 15680->15681 15682 40ebbf GetProcessHeap HeapFree 15680->15682 15681->15682 15682->15282 15684 40908d 15683->15684 15685 4090e2 wsprintfA 15684->15685 15686 40ee2a 15685->15686 15687 4090fd CreateFileA 15686->15687 15688 40911a lstrlenA WriteFile CloseHandle 15687->15688 15689 40913f 15687->15689 15688->15689 15689->15291 15689->15292 15691 40ee2a 15690->15691 15692 409794 CreateProcessA 15691->15692 15693 4097c2 15692->15693 15694 4097bb 15692->15694 15695 4097d4 GetThreadContext 15693->15695 15694->15303 15696 409801 15695->15696 15697 4097f5 15695->15697 15704 40637c 15696->15704 15698 4097f6 TerminateProcess 15697->15698 15698->15694 15700 409816 15700->15698 15701 40981e WriteProcessMemory 15700->15701 15701->15697 15702 40983b SetThreadContext 15701->15702 15702->15697 15703 409858 ResumeThread 15702->15703 15703->15694 15705 406386 15704->15705 15706 40638a GetModuleHandleA VirtualAlloc 15704->15706 15705->15700 15707 4063b6 15706->15707 15711 4063f5 15706->15711 15708 4063be VirtualAllocEx 15707->15708 15709 4063d6 15708->15709 15708->15711 15710 4063df WriteProcessMemory 15709->15710 15710->15711 15711->15700 15713 40dd41 InterlockedExchange 15712->15713 15714 40dd20 GetCurrentThreadId 15713->15714 15715 40dd4a 15713->15715 15716 40dd53 GetCurrentThreadId 15714->15716 15717 40dd2e GetTickCount 15714->15717 15715->15716 15716->15306 15717->15715 15718 40dd39 Sleep 15717->15718 15718->15713 15720 40dbf0 15719->15720 15752 40db67 GetEnvironmentVariableA 15720->15752 15722 40dc19 15723 40dcda 15722->15723 15724 40db67 3 API calls 15722->15724 15723->15308 15725 40dc5c 15724->15725 15725->15723 15726 40db67 3 API calls 15725->15726 15727 40dc9b 15726->15727 15727->15723 15728 40db67 3 API calls 15727->15728 15728->15723 15730 40db3a 15729->15730 15732 40db55 15729->15732 15756 40ebed 15730->15756 15732->15310 15732->15315 15765 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15733->15765 15735 40e3be 15735->15310 15736 40e342 15736->15735 15768 40de24 15736->15768 15739 40e528 15738->15739 15740 40e3f4 15738->15740 15739->15320 15741 40e434 RegQueryValueExA 15740->15741 15742 40e458 15741->15742 15743 40e51d RegCloseKey 15741->15743 15744 40e46e RegQueryValueExA 15742->15744 15743->15739 15744->15742 15745 40e488 15744->15745 15745->15743 15746 40db2e 8 API calls 15745->15746 15747 40e499 15746->15747 15747->15743 15748 40e4b9 RegQueryValueExA 15747->15748 15749 40e4e8 15747->15749 15748->15747 15748->15749 15749->15743 15750 40e332 14 API calls 15749->15750 15751 40e513 15750->15751 15751->15743 15753 40db89 lstrcpyA CreateFileA 15752->15753 15754 40dbca 15752->15754 15753->15722 15754->15722 15757 40ec01 15756->15757 15758 40ebf6 15756->15758 15760 40eba0 codecvt 2 API calls 15757->15760 15759 40ebcc 4 API calls 15758->15759 15761 40ebfe 15759->15761 15762 40ec0a GetProcessHeap HeapReAlloc 15760->15762 15761->15732 15763 40eb74 2 API calls 15762->15763 15764 40ec28 15763->15764 15764->15732 15779 40eb41 15765->15779 15769 40de3a 15768->15769 15774 40de4e 15769->15774 15783 40dd84 15769->15783 15772 40de9e 15773 40ebed 8 API calls 15772->15773 15772->15774 15777 40def6 15773->15777 15774->15736 15775 40de76 15787 40ddcf 15775->15787 15777->15774 15778 40ddcf lstrcmpA 15777->15778 15778->15774 15780 40eb54 15779->15780 15781 40eb4a 15779->15781 15780->15736 15782 40eae4 2 API calls 15781->15782 15782->15780 15784 40ddc5 15783->15784 15785 40dd96 15783->15785 15784->15772 15784->15775 15785->15784 15786 40ddad lstrcmpiA 15785->15786 15786->15784 15786->15785 15788 40dddd 15787->15788 15790 40de20 15787->15790 15789 40ddfa lstrcmpA 15788->15789 15788->15790 15789->15788 15790->15774 15792 40dd05 6 API calls 15791->15792 15793 40e821 15792->15793 15794 40dd84 lstrcmpiA 15793->15794 15795 40e82c 15794->15795 15797 40e844 15795->15797 15839 402480 15795->15839 15797->15335 15799 40dd05 6 API calls 15798->15799 15800 40df7c 15799->15800 15801 40dd84 lstrcmpiA 15800->15801 15805 40df89 15801->15805 15802 40dfc4 15802->15340 15803 40ddcf lstrcmpA 15803->15805 15804 40ec2e codecvt 4 API calls 15804->15805 15805->15802 15805->15803 15805->15804 15806 40dd84 lstrcmpiA 15805->15806 15806->15805 15808 40ea98 15807->15808 15848 40e8a1 15808->15848 15810 401e84 15810->15342 15812 4019d5 GetProcAddress GetProcAddress GetProcAddress 15811->15812 15815 4019ce 15811->15815 15813 401ab3 FreeLibrary 15812->15813 15814 401a04 15812->15814 15813->15815 15814->15813 15816 401a14 GetProcessHeap 15814->15816 15815->15348 15816->15815 15818 401a2e HeapAlloc 15816->15818 15818->15815 15819 401a42 15818->15819 15820 401a52 HeapReAlloc 15819->15820 15822 401a62 15819->15822 15820->15822 15821 401aa1 FreeLibrary 15821->15815 15822->15821 15823 401a96 HeapFree 15822->15823 15823->15821 15876 401ac3 LoadLibraryA 15824->15876 15827 401bcf 15827->15359 15829 401ac3 12 API calls 15828->15829 15830 401c09 15829->15830 15831 401c41 15830->15831 15832 401c0d GetComputerNameA 15830->15832 15831->15368 15833 401c45 GetVolumeInformationA 15832->15833 15834 401c1f 15832->15834 15833->15831 15834->15831 15834->15833 15836 40ee2a 15835->15836 15837 4030d0 gethostname gethostbyname 15836->15837 15838 401f82 15837->15838 15838->15373 15838->15374 15842 402419 lstrlenA 15839->15842 15841 402491 15841->15797 15843 40243d lstrlenA 15842->15843 15846 402474 15842->15846 15844 402464 lstrlenA 15843->15844 15845 40244e lstrcmpiA 15843->15845 15844->15843 15844->15846 15845->15844 15847 40245c 15845->15847 15846->15841 15847->15844 15847->15846 15849 40dd05 6 API calls 15848->15849 15850 40e8b4 15849->15850 15851 40dd84 lstrcmpiA 15850->15851 15852 40e8c0 15851->15852 15853 40e8c8 lstrcpynA 15852->15853 15862 40e90a 15852->15862 15855 40e8f5 15853->15855 15854 402419 4 API calls 15856 40e926 lstrlenA lstrlenA 15854->15856 15869 40df4c 15855->15869 15858 40e94c lstrlenA 15856->15858 15860 40e96a 15856->15860 15858->15860 15859 40e901 15861 40dd84 lstrcmpiA 15859->15861 15863 40ebcc 4 API calls 15860->15863 15864 40ea27 15860->15864 15861->15862 15862->15854 15862->15864 15865 40e98f 15863->15865 15864->15810 15865->15864 15866 40df4c 20 API calls 15865->15866 15867 40ea1e 15866->15867 15868 40ec2e codecvt 4 API calls 15867->15868 15868->15864 15870 40dd05 6 API calls 15869->15870 15871 40df51 15870->15871 15872 40f04e 4 API calls 15871->15872 15873 40df58 15872->15873 15874 40de24 10 API calls 15873->15874 15875 40df63 15874->15875 15875->15859 15877 401ae2 GetProcAddress 15876->15877 15882 401b68 GetComputerNameA GetVolumeInformationA 15876->15882 15878 401af5 15877->15878 15877->15882 15879 40ebed 8 API calls 15878->15879 15881 401b29 15878->15881 15879->15878 15880 40ec2e codecvt 4 API calls 15880->15882 15881->15880 15881->15881 15881->15882 15882->15827 15884 406ec3 2 API calls 15883->15884 15885 407ef4 15884->15885 15886 4073ff 17 API calls 15885->15886 15895 407fc9 15885->15895 15887 407f16 15886->15887 15887->15895 15896 407809 GetUserNameA 15887->15896 15889 407f63 15890 40ef1e lstrlenA 15889->15890 15889->15895 15891 407fa6 15890->15891 15892 40ef1e lstrlenA 15891->15892 15893 407fb7 15892->15893 15920 407a95 RegOpenKeyExA 15893->15920 15895->15386 15897 40783d LookupAccountNameA 15896->15897 15898 407a8d 15896->15898 15897->15898 15899 407874 GetLengthSid GetFileSecurityA 15897->15899 15898->15889 15899->15898 15900 4078a8 GetSecurityDescriptorOwner 15899->15900 15901 4078c5 EqualSid 15900->15901 15902 40791d GetSecurityDescriptorDacl 15900->15902 15901->15902 15903 4078dc LocalAlloc 15901->15903 15902->15898 15915 407941 15902->15915 15903->15902 15904 4078ef InitializeSecurityDescriptor 15903->15904 15906 407916 LocalFree 15904->15906 15907 4078fb SetSecurityDescriptorOwner 15904->15907 15905 40795b GetAce 15905->15915 15906->15902 15907->15906 15908 40790b SetFileSecurityA 15907->15908 15908->15906 15909 407980 EqualSid 15909->15915 15910 407a3d 15910->15898 15913 407a43 LocalAlloc 15910->15913 15911 4079be EqualSid 15911->15915 15912 40799d DeleteAce 15912->15915 15913->15898 15914 407a56 InitializeSecurityDescriptor 15913->15914 15916 407a62 SetSecurityDescriptorDacl 15914->15916 15917 407a86 LocalFree 15914->15917 15915->15898 15915->15905 15915->15909 15915->15910 15915->15911 15915->15912 15916->15917 15918 407a73 SetFileSecurityA 15916->15918 15917->15898 15918->15917 15919 407a83 15918->15919 15919->15917 15921 407acb GetUserNameA 15920->15921 15922 407ac4 15920->15922 15923 407da7 RegCloseKey 15921->15923 15924 407aed LookupAccountNameA 15921->15924 15922->15895 15923->15922 15924->15923 15925 407b24 RegGetKeySecurity 15924->15925 15925->15923 15926 407b49 GetSecurityDescriptorOwner 15925->15926 15927 407b63 EqualSid 15926->15927 15928 407bb8 GetSecurityDescriptorDacl 15926->15928 15927->15928 15930 407b74 LocalAlloc 15927->15930 15929 407da6 15928->15929 15937 407bdc 15928->15937 15929->15923 15930->15928 15931 407b8a InitializeSecurityDescriptor 15930->15931 15933 407bb1 LocalFree 15931->15933 15934 407b96 SetSecurityDescriptorOwner 15931->15934 15932 407bf8 GetAce 15932->15937 15933->15928 15934->15933 15935 407ba6 RegSetKeySecurity 15934->15935 15935->15933 15936 407c1d EqualSid 15936->15937 15937->15929 15937->15932 15937->15936 15938 407cd9 15937->15938 15939 407c5f EqualSid 15937->15939 15940 407c3a DeleteAce 15937->15940 15938->15929 15941 407d5a LocalAlloc 15938->15941 15943 407cf2 RegOpenKeyExA 15938->15943 15939->15937 15940->15937 15941->15929 15942 407d70 InitializeSecurityDescriptor 15941->15942 15944 407d7c SetSecurityDescriptorDacl 15942->15944 15945 407d9f LocalFree 15942->15945 15943->15941 15948 407d0f 15943->15948 15944->15945 15946 407d8c RegSetKeySecurity 15944->15946 15945->15929 15946->15945 15947 407d9c 15946->15947 15947->15945 15949 407d43 RegSetValueExA 15948->15949 15949->15941 15950 407d54 15949->15950 15950->15941 15951->15402 15953 40dd05 6 API calls 15952->15953 15954 40e65f 15953->15954 15955 40e6a5 15954->15955 15957 40e68c lstrcmpA 15954->15957 15956 40ebcc 4 API calls 15955->15956 15958 40e6f5 15955->15958 15959 40e6b0 15956->15959 15957->15954 15961 40e71d lstrcmpA 15958->15961 15962 40e6b7 15958->15962 15959->15958 15960 40e6e0 lstrcpynA 15959->15960 15959->15962 15960->15958 15961->15958 15962->15404 15963->15410 15965 40c525 15964->15965 15966 40c532 15964->15966 15965->15966 15968 40ec2e codecvt 4 API calls 15965->15968 15967 40c548 15966->15967 16116 40e7ff 15966->16116 15970 40e7ff lstrcmpiA 15967->15970 15978 40c54f 15967->15978 15968->15966 15971 40c615 15970->15971 15972 40ebcc 4 API calls 15971->15972 15971->15978 15972->15978 15973 40c5d1 15976 40ebcc 4 API calls 15973->15976 15975 40e819 11 API calls 15977 40c5b7 15975->15977 15976->15978 15979 40f04e 4 API calls 15977->15979 15978->15423 15980 40c5bf 15979->15980 15980->15967 15980->15973 15982 402692 inet_addr 15981->15982 15983 40268e 15981->15983 15982->15983 15984 40269e gethostbyname 15982->15984 15985 40f428 15983->15985 15984->15983 16119 40f315 15985->16119 15990 40c8d2 15988->15990 15989 40c907 15989->15425 15990->15989 15991 40c517 23 API calls 15990->15991 15991->15989 15992 40f43e 15993 40f473 recv 15992->15993 15994 40f458 15993->15994 15995 40f47c 15993->15995 15994->15993 15994->15995 15995->15441 15997 40c670 15996->15997 15999 40c67d 15996->15999 15998 40ebcc 4 API calls 15997->15998 15998->15999 16000 40ebcc 4 API calls 15999->16000 16002 40c699 15999->16002 16000->16002 16001 40c6f3 16001->15454 16001->15483 16002->16001 16003 40c73c send 16002->16003 16003->16001 16005 40c770 16004->16005 16006 40c77d 16004->16006 16007 40ebcc 4 API calls 16005->16007 16008 40ebcc 4 API calls 16006->16008 16010 40c799 16006->16010 16007->16006 16008->16010 16009 40f43e recv 16013 40c7cb 16009->16013 16011 40ebcc 4 API calls 16010->16011 16012 40c7b5 16010->16012 16011->16012 16012->16009 16014 40f43e recv 16013->16014 16015 40c7d3 16013->16015 16014->16015 16015->15483 16132 407db7 16016->16132 16019 407e70 16020 407e96 16019->16020 16022 40f04e 4 API calls 16019->16022 16020->15483 16021 40f04e 4 API calls 16023 407e4c 16021->16023 16022->16020 16023->16019 16024 40f04e 4 API calls 16023->16024 16024->16019 16026 406ec3 2 API calls 16025->16026 16027 407fdd 16026->16027 16028 4080c2 CreateProcessA 16027->16028 16029 4073ff 17 API calls 16027->16029 16028->15507 16028->15508 16030 407fff 16029->16030 16030->16028 16031 407809 21 API calls 16030->16031 16032 40804d 16031->16032 16032->16028 16033 40ef1e lstrlenA 16032->16033 16034 40809e 16033->16034 16035 40ef1e lstrlenA 16034->16035 16036 4080af 16035->16036 16037 407a95 24 API calls 16036->16037 16037->16028 16039 407db7 2 API calls 16038->16039 16040 407eb8 16039->16040 16041 40f04e 4 API calls 16040->16041 16042 407ece DeleteFileA 16041->16042 16042->15483 16044 40dd05 6 API calls 16043->16044 16045 40e31d 16044->16045 16136 40e177 16045->16136 16047 40e326 16047->15478 16049 4031f3 16048->16049 16059 4031ec 16048->16059 16050 40ebcc 4 API calls 16049->16050 16064 4031fc 16050->16064 16051 40344b 16052 403459 16051->16052 16053 40349d 16051->16053 16055 40f04e 4 API calls 16052->16055 16054 40ec2e codecvt 4 API calls 16053->16054 16054->16059 16056 40345f 16055->16056 16057 4030fa 4 API calls 16056->16057 16057->16059 16058 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 16058->16064 16059->15483 16060 40344d 16061 40ec2e codecvt 4 API calls 16060->16061 16061->16051 16063 403141 lstrcmpiA 16063->16064 16064->16051 16064->16058 16064->16059 16064->16060 16064->16063 16162 4030fa GetTickCount 16064->16162 16066 4030fa 4 API calls 16065->16066 16067 403c1a 16066->16067 16068 403ce6 16067->16068 16167 403a72 16067->16167 16068->15483 16071 403a72 9 API calls 16073 403c5e 16071->16073 16072 403a72 9 API calls 16072->16073 16073->16068 16073->16072 16074 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16073->16074 16074->16073 16076 403a10 16075->16076 16077 4030fa 4 API calls 16076->16077 16078 403a1a 16077->16078 16078->15483 16080 40dd05 6 API calls 16079->16080 16081 40e7be 16080->16081 16081->15483 16083 40c07e wsprintfA 16082->16083 16087 40c105 16082->16087 16176 40bfce GetTickCount wsprintfA 16083->16176 16085 40c0ef 16177 40bfce GetTickCount wsprintfA 16085->16177 16087->15483 16089 407047 16088->16089 16090 406f88 LookupAccountNameA 16088->16090 16089->15483 16092 407025 16090->16092 16093 406fcb 16090->16093 16094 406edd 5 API calls 16092->16094 16095 406fdb ConvertSidToStringSidA 16093->16095 16096 40702a wsprintfA 16094->16096 16095->16092 16097 406ff1 16095->16097 16096->16089 16098 407013 LocalFree 16097->16098 16098->16092 16100 40dd05 6 API calls 16099->16100 16101 40e85c 16100->16101 16102 40dd84 lstrcmpiA 16101->16102 16103 40e867 16102->16103 16104 40e885 lstrcpyA 16103->16104 16178 4024a5 16103->16178 16181 40dd69 16104->16181 16110 407db7 2 API calls 16109->16110 16111 407de1 16110->16111 16112 407e16 16111->16112 16113 40f04e 4 API calls 16111->16113 16112->15483 16114 407df2 16113->16114 16114->16112 16115 40f04e 4 API calls 16114->16115 16115->16112 16117 40dd84 lstrcmpiA 16116->16117 16118 40c58e 16117->16118 16118->15967 16118->15973 16118->15975 16120 40ca1d 16119->16120 16121 40f33b 16119->16121 16120->15438 16120->15992 16122 40f347 htons socket 16121->16122 16123 40f382 ioctlsocket 16122->16123 16124 40f374 closesocket 16122->16124 16125 40f3aa connect select 16123->16125 16126 40f39d 16123->16126 16124->16120 16125->16120 16128 40f3f2 __WSAFDIsSet 16125->16128 16127 40f39f closesocket 16126->16127 16127->16120 16128->16127 16129 40f403 ioctlsocket 16128->16129 16131 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16129->16131 16131->16120 16133 407dc8 InterlockedExchange 16132->16133 16134 407dc0 Sleep 16133->16134 16135 407dd4 16133->16135 16134->16133 16135->16019 16135->16021 16137 40e184 16136->16137 16138 40e2e4 16137->16138 16139 40e223 16137->16139 16152 40dfe2 16137->16152 16138->16047 16139->16138 16141 40dfe2 8 API calls 16139->16141 16145 40e23c 16141->16145 16142 40e1be 16142->16139 16143 40dbcf 3 API calls 16142->16143 16146 40e1d6 16143->16146 16144 40e21a CloseHandle 16144->16139 16145->16138 16156 40e095 RegCreateKeyExA 16145->16156 16146->16139 16146->16144 16147 40e1f9 WriteFile 16146->16147 16147->16144 16149 40e213 16147->16149 16149->16144 16150 40e2a3 16150->16138 16151 40e095 4 API calls 16150->16151 16151->16138 16153 40dffc 16152->16153 16155 40e024 16152->16155 16154 40db2e 8 API calls 16153->16154 16153->16155 16154->16155 16155->16142 16157 40e172 16156->16157 16158 40e0c0 16156->16158 16157->16150 16160 40e115 RegSetValueExA 16158->16160 16161 40e13d 16158->16161 16159 40e14e RegDeleteValueA RegCloseKey 16159->16157 16160->16158 16160->16161 16161->16159 16163 403122 InterlockedExchange 16162->16163 16164 40312e 16163->16164 16165 40310f GetTickCount 16163->16165 16164->16064 16165->16164 16166 40311a Sleep 16165->16166 16166->16163 16168 40f04e 4 API calls 16167->16168 16175 403a83 16168->16175 16169 403ac1 16169->16068 16169->16071 16170 403be6 16172 40ec2e codecvt 4 API calls 16170->16172 16171 403bc0 16171->16170 16173 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16171->16173 16172->16169 16173->16171 16174 403b66 lstrlenA 16174->16169 16174->16175 16175->16169 16175->16171 16175->16174 16176->16085 16177->16087 16179 402419 4 API calls 16178->16179 16180 4024b6 16179->16180 16180->16104 16182 40dd79 lstrlenA 16181->16182 16182->15483 16184 404084 16183->16184 16185 40407d 16183->16185 16186 403ecd 6 API calls 16184->16186 16187 40408f 16186->16187 16188 404000 3 API calls 16187->16188 16189 404095 16188->16189 16190 404130 16189->16190 16191 4040c0 16189->16191 16192 403ecd 6 API calls 16190->16192 16196 403f18 4 API calls 16191->16196 16193 404159 CreateNamedPipeA 16192->16193 16194 404167 Sleep 16193->16194 16195 404188 ConnectNamedPipe 16193->16195 16194->16190 16197 404176 CloseHandle 16194->16197 16199 404195 GetLastError 16195->16199 16209 4041ab 16195->16209 16198 4040da 16196->16198 16197->16195 16200 403f8c 4 API calls 16198->16200 16201 40425e DisconnectNamedPipe 16199->16201 16199->16209 16202 4040ec 16200->16202 16201->16195 16203 404127 CloseHandle 16202->16203 16204 404101 16202->16204 16203->16190 16206 403f18 4 API calls 16204->16206 16205 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16205->16209 16207 40411c ExitProcess 16206->16207 16208 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16208->16209 16209->16195 16209->16201 16209->16205 16209->16208 16210 40426a CloseHandle CloseHandle 16209->16210 16211 40e318 23 API calls 16210->16211 16212 40427b 16211->16212 16212->16212 16214 408791 16213->16214 16215 40879f 16213->16215 16216 40f04e 4 API calls 16214->16216 16217 4087bc 16215->16217 16219 40f04e 4 API calls 16215->16219 16216->16215 16218 40e819 11 API calls 16217->16218 16220 4087d7 16218->16220 16219->16217 16233 408803 16220->16233 16235 4026b2 gethostbyaddr 16220->16235 16223 4087eb 16225 40e8a1 30 API calls 16223->16225 16223->16233 16225->16233 16228 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16228->16233 16229 40e819 11 API calls 16229->16233 16230 4088a0 Sleep 16230->16233 16232 4026b2 2 API calls 16232->16233 16233->16228 16233->16229 16233->16230 16233->16232 16234 40e8a1 30 API calls 16233->16234 16240 408cee 16233->16240 16248 40c4d6 16233->16248 16251 40c4e2 16233->16251 16254 402011 16233->16254 16289 408328 16233->16289 16234->16233 16236 4026fb 16235->16236 16237 4026cd 16235->16237 16236->16223 16238 4026e1 inet_ntoa 16237->16238 16239 4026de 16237->16239 16238->16239 16239->16223 16241 408d02 GetTickCount 16240->16241 16242 408dae 16240->16242 16241->16242 16243 408d19 16241->16243 16242->16233 16244 408da1 GetTickCount 16243->16244 16247 408d89 16243->16247 16341 40a677 16243->16341 16344 40a688 16243->16344 16244->16242 16247->16244 16352 40c2dc 16248->16352 16252 40c2dc 141 API calls 16251->16252 16253 40c4ec 16252->16253 16253->16233 16255 402020 16254->16255 16256 40202e 16254->16256 16257 40f04e 4 API calls 16255->16257 16258 40204b 16256->16258 16260 40f04e 4 API calls 16256->16260 16257->16256 16259 40206e GetTickCount 16258->16259 16261 40f04e 4 API calls 16258->16261 16262 4020db GetTickCount 16259->16262 16272 402090 16259->16272 16260->16258 16264 402068 16261->16264 16263 402132 GetTickCount GetTickCount 16262->16263 16274 4020e7 16262->16274 16267 40f04e 4 API calls 16263->16267 16264->16259 16265 4020d4 GetTickCount 16265->16262 16266 40212b GetTickCount 16266->16263 16268 402159 16267->16268 16270 4021b4 16268->16270 16273 40e854 13 API calls 16268->16273 16269 402684 2 API calls 16269->16272 16275 40f04e 4 API calls 16270->16275 16272->16265 16272->16269 16279 4020ce 16272->16279 16679 401978 16272->16679 16276 40218e 16273->16276 16274->16266 16281 401978 15 API calls 16274->16281 16282 402125 16274->16282 16684 402ef8 16274->16684 16278 4021d1 16275->16278 16280 40e819 11 API calls 16276->16280 16283 4021f2 16278->16283 16285 40ea84 30 API calls 16278->16285 16279->16265 16284 40219c 16280->16284 16281->16274 16282->16266 16283->16233 16284->16270 16692 401c5f 16284->16692 16286 4021ec 16285->16286 16287 40f04e 4 API calls 16286->16287 16287->16283 16290 407dd6 6 API calls 16289->16290 16291 40833c 16290->16291 16292 408340 16291->16292 16293 406ec3 2 API calls 16291->16293 16292->16233 16294 40834f 16293->16294 16295 40835c 16294->16295 16300 40846b 16294->16300 16296 4073ff 17 API calls 16295->16296 16297 408373 16296->16297 16297->16292 16321 4083ea RegOpenKeyExA 16297->16321 16328 408450 16297->16328 16298 408626 GetTempPathA 16330 408638 16298->16330 16299 40675c 21 API calls 16302 4085df 16299->16302 16303 4084a7 RegOpenKeyExA 16300->16303 16300->16328 16302->16298 16309 408762 16302->16309 16302->16330 16305 4084c0 RegQueryValueExA 16303->16305 16310 40852f 16303->16310 16304 4086ad 16308 407e2f 6 API calls 16304->16308 16304->16309 16306 408521 RegCloseKey 16305->16306 16307 4084dd 16305->16307 16306->16310 16307->16306 16313 40ebcc 4 API calls 16307->16313 16320 4086bb 16308->16320 16309->16292 16315 40ec2e codecvt 4 API calls 16309->16315 16311 408564 RegOpenKeyExA 16310->16311 16319 4085a5 16310->16319 16312 408573 RegSetValueExA RegCloseKey 16311->16312 16311->16319 16312->16319 16317 4084f0 16313->16317 16314 40875b DeleteFileA 16314->16309 16315->16292 16317->16306 16318 4084f8 RegQueryValueExA 16317->16318 16318->16306 16322 408515 16318->16322 16323 40ec2e codecvt 4 API calls 16319->16323 16319->16328 16320->16314 16329 4086e0 lstrcpyA lstrlenA 16320->16329 16324 4083fd RegQueryValueExA 16321->16324 16321->16328 16327 40ec2e codecvt 4 API calls 16322->16327 16323->16328 16325 40842d RegSetValueExA 16324->16325 16326 40841e 16324->16326 16331 408447 RegCloseKey 16325->16331 16326->16325 16326->16331 16332 40851d 16327->16332 16328->16299 16328->16302 16333 407fcf 64 API calls 16329->16333 16764 406ba7 IsBadCodePtr 16330->16764 16331->16328 16332->16306 16334 408719 CreateProcessA 16333->16334 16335 40873d CloseHandle CloseHandle 16334->16335 16336 40874f 16334->16336 16335->16309 16337 407ee6 64 API calls 16336->16337 16338 408754 16337->16338 16339 407ead 6 API calls 16338->16339 16340 40875a 16339->16340 16340->16314 16347 40a63d 16341->16347 16343 40a685 16343->16243 16345 40a63d GetTickCount 16344->16345 16346 40a696 16345->16346 16346->16243 16348 40a645 16347->16348 16349 40a64d 16347->16349 16348->16343 16350 40a66e 16349->16350 16351 40a65e GetTickCount 16349->16351 16350->16343 16351->16350 16368 40a4c7 GetTickCount 16352->16368 16354 40c45e 16360 40c4d2 16354->16360 16361 40c4ab InterlockedIncrement CreateThread 16354->16361 16356 40c300 GetTickCount 16358 40c337 16356->16358 16357 40c326 16357->16358 16359 40c32b GetTickCount 16357->16359 16358->16354 16363 40c363 GetTickCount 16358->16363 16359->16358 16360->16233 16361->16360 16362 40c4cb CloseHandle 16361->16362 16373 40b535 16361->16373 16362->16360 16363->16354 16364 40c373 16363->16364 16365 40c378 GetTickCount 16364->16365 16366 40c37f 16364->16366 16365->16366 16367 40c43b GetTickCount 16366->16367 16367->16354 16369 40a4f7 InterlockedExchange 16368->16369 16370 40a500 16369->16370 16371 40a4e4 GetTickCount 16369->16371 16370->16354 16370->16356 16370->16357 16371->16370 16372 40a4ef Sleep 16371->16372 16372->16369 16374 40b566 16373->16374 16375 40ebcc 4 API calls 16374->16375 16376 40b587 16375->16376 16377 40ebcc 4 API calls 16376->16377 16414 40b590 16377->16414 16378 40bdcd InterlockedDecrement 16379 40bde2 16378->16379 16381 40ec2e codecvt 4 API calls 16379->16381 16382 40bdea 16381->16382 16384 40ec2e codecvt 4 API calls 16382->16384 16383 40bdb7 Sleep 16383->16414 16385 40bdf2 16384->16385 16387 40be05 16385->16387 16388 40ec2e codecvt 4 API calls 16385->16388 16386 40bdcc 16386->16378 16388->16387 16389 40ebed 8 API calls 16389->16414 16392 40b6b6 lstrlenA 16392->16414 16393 4030b5 2 API calls 16393->16414 16394 40e819 11 API calls 16394->16414 16395 40b6ed lstrcpyA 16448 405ce1 16395->16448 16398 40b731 lstrlenA 16398->16414 16399 40b71f lstrcmpA 16399->16398 16399->16414 16400 40b772 GetTickCount 16400->16414 16401 40bd49 InterlockedIncrement 16542 40a628 16401->16542 16404 40b7ce InterlockedIncrement 16458 40acd7 16404->16458 16405 4038f0 6 API calls 16405->16414 16406 40bc5b InterlockedIncrement 16406->16414 16409 40b912 GetTickCount 16409->16414 16410 40b826 InterlockedIncrement 16410->16400 16411 40b932 GetTickCount 16413 40bc6d InterlockedIncrement 16411->16413 16411->16414 16412 40bcdc closesocket 16412->16414 16413->16414 16414->16378 16414->16383 16414->16386 16414->16389 16414->16392 16414->16393 16414->16394 16414->16395 16414->16398 16414->16399 16414->16400 16414->16401 16414->16404 16414->16405 16414->16406 16414->16409 16414->16410 16414->16411 16414->16412 16416 40bba6 InterlockedIncrement 16414->16416 16419 40bc4c closesocket 16414->16419 16421 40ba71 wsprintfA 16414->16421 16422 405ded 12 API calls 16414->16422 16424 405ce1 22 API calls 16414->16424 16426 40a7c1 22 API calls 16414->16426 16427 40ab81 lstrcpynA InterlockedIncrement 16414->16427 16428 40ef1e lstrlenA 16414->16428 16429 40a688 GetTickCount 16414->16429 16430 403e10 16414->16430 16433 403e4f 16414->16433 16436 40384f 16414->16436 16456 40a7a3 inet_ntoa 16414->16456 16463 40abee 16414->16463 16475 401feb GetTickCount 16414->16475 16496 403cfb 16414->16496 16499 40b3c5 16414->16499 16530 40ab81 16414->16530 16416->16414 16419->16414 16476 40a7c1 16421->16476 16422->16414 16424->16414 16426->16414 16427->16414 16428->16414 16429->16414 16431 4030fa 4 API calls 16430->16431 16432 403e1d 16431->16432 16432->16414 16434 4030fa 4 API calls 16433->16434 16435 403e5c 16434->16435 16435->16414 16437 4030fa 4 API calls 16436->16437 16438 403863 16437->16438 16439 4038b9 16438->16439 16440 403889 16438->16440 16447 4038b2 16438->16447 16551 4035f9 16439->16551 16545 403718 16440->16545 16445 403718 6 API calls 16445->16447 16446 4035f9 6 API calls 16446->16447 16447->16414 16449 405cf4 16448->16449 16450 405cec 16448->16450 16452 404bd1 4 API calls 16449->16452 16557 404bd1 GetTickCount 16450->16557 16453 405d02 16452->16453 16562 405472 16453->16562 16457 40a7b9 16456->16457 16457->16414 16459 40f315 14 API calls 16458->16459 16460 40aceb 16459->16460 16461 40acff 16460->16461 16462 40f315 14 API calls 16460->16462 16461->16414 16462->16461 16464 40abfb 16463->16464 16467 40ac65 16464->16467 16625 402f22 16464->16625 16466 40f315 14 API calls 16466->16467 16467->16466 16468 40ac8a 16467->16468 16469 40ac6f 16467->16469 16468->16414 16471 40ab81 2 API calls 16469->16471 16470 40ac23 16470->16467 16473 402684 2 API calls 16470->16473 16472 40ac81 16471->16472 16633 4038f0 16472->16633 16473->16470 16475->16414 16477 40a87d lstrlenA send 16476->16477 16480 40a7df 16476->16480 16478 40a899 16477->16478 16479 40a8bf 16477->16479 16482 40a8a5 wsprintfA 16478->16482 16495 40a89e 16478->16495 16483 40a8c4 send 16479->16483 16488 40a8f2 16479->16488 16480->16477 16481 40a80a 16480->16481 16485 40a7fa wsprintfA 16480->16485 16480->16488 16481->16477 16482->16495 16486 40a8d8 wsprintfA 16483->16486 16483->16488 16484 40a978 recv 16484->16488 16489 40a982 16484->16489 16485->16481 16486->16495 16487 40a9b0 wsprintfA 16487->16495 16488->16484 16488->16487 16488->16489 16490 4030b5 2 API calls 16489->16490 16489->16495 16491 40ab05 16490->16491 16492 40e819 11 API calls 16491->16492 16493 40ab17 16492->16493 16494 40a7a3 inet_ntoa 16493->16494 16494->16495 16495->16414 16497 4030fa 4 API calls 16496->16497 16498 403d0b 16497->16498 16498->16414 16500 405ce1 22 API calls 16499->16500 16501 40b3e6 16500->16501 16502 405ce1 22 API calls 16501->16502 16504 40b404 16502->16504 16503 40b440 16506 40ef7c 3 API calls 16503->16506 16504->16503 16505 40ef7c 3 API calls 16504->16505 16507 40b42b 16505->16507 16508 40b458 wsprintfA 16506->16508 16509 40ef7c 3 API calls 16507->16509 16510 40ef7c 3 API calls 16508->16510 16509->16503 16511 40b480 16510->16511 16512 40ef7c 3 API calls 16511->16512 16513 40b493 16512->16513 16514 40ef7c 3 API calls 16513->16514 16515 40b4bb 16514->16515 16647 40ad89 GetLocalTime SystemTimeToFileTime 16515->16647 16519 40b4cc 16520 40ef7c 3 API calls 16519->16520 16521 40b4dd 16520->16521 16522 40b211 7 API calls 16521->16522 16523 40b4ec 16522->16523 16524 40ef7c 3 API calls 16523->16524 16525 40b4fd 16524->16525 16526 40b211 7 API calls 16525->16526 16527 40b509 16526->16527 16528 40ef7c 3 API calls 16527->16528 16529 40b51a 16528->16529 16529->16414 16531 40abe9 GetTickCount 16530->16531 16532 40ab8c 16530->16532 16535 40a51d 16531->16535 16532->16531 16533 40aba8 lstrcpynA 16532->16533 16534 40abe1 InterlockedIncrement 16532->16534 16533->16532 16534->16532 16536 40a4c7 4 API calls 16535->16536 16537 40a52c 16536->16537 16538 40a542 GetTickCount 16537->16538 16540 40a539 GetTickCount 16537->16540 16538->16540 16541 40a56c 16540->16541 16541->16414 16543 40a4c7 4 API calls 16542->16543 16544 40a633 16543->16544 16544->16414 16546 40f04e 4 API calls 16545->16546 16548 40372a 16546->16548 16547 403847 16547->16445 16547->16447 16548->16547 16549 4037b3 GetCurrentThreadId 16548->16549 16549->16548 16550 4037c8 GetCurrentThreadId 16549->16550 16550->16548 16552 40f04e 4 API calls 16551->16552 16556 40360c 16552->16556 16553 4036f1 16553->16446 16553->16447 16554 4036da GetCurrentThreadId 16554->16553 16555 4036e5 GetCurrentThreadId 16554->16555 16555->16553 16556->16553 16556->16554 16558 404bff InterlockedExchange 16557->16558 16559 404c08 16558->16559 16560 404bec GetTickCount 16558->16560 16559->16449 16560->16559 16561 404bf7 Sleep 16560->16561 16561->16558 16581 404763 16562->16581 16564 405b58 16591 404699 16564->16591 16567 404763 lstrlenA 16568 405b6e 16567->16568 16612 404f9f 16568->16612 16570 405b79 16570->16414 16572 405549 lstrlenA 16576 40548a 16572->16576 16574 40558d lstrcpynA 16574->16576 16575 405a9f lstrcpyA 16575->16576 16576->16564 16576->16574 16576->16575 16577 405935 lstrcpynA 16576->16577 16578 404ae6 8 API calls 16576->16578 16579 405472 13 API calls 16576->16579 16580 4058e7 lstrcpyA 16576->16580 16585 404ae6 16576->16585 16589 40ef7c lstrlenA lstrlenA lstrlenA 16576->16589 16577->16576 16578->16576 16579->16576 16580->16576 16583 40477a 16581->16583 16582 404859 16582->16576 16583->16582 16584 40480d lstrlenA 16583->16584 16584->16583 16586 404af3 16585->16586 16588 404b03 16585->16588 16587 40ebed 8 API calls 16586->16587 16587->16588 16588->16572 16590 40efb4 16589->16590 16590->16576 16617 4045b3 16591->16617 16594 4045b3 7 API calls 16595 4046c6 16594->16595 16596 4045b3 7 API calls 16595->16596 16597 4046d8 16596->16597 16598 4045b3 7 API calls 16597->16598 16599 4046ea 16598->16599 16600 4045b3 7 API calls 16599->16600 16601 4046ff 16600->16601 16602 4045b3 7 API calls 16601->16602 16603 404711 16602->16603 16604 4045b3 7 API calls 16603->16604 16605 404723 16604->16605 16606 40ef7c 3 API calls 16605->16606 16607 404735 16606->16607 16608 40ef7c 3 API calls 16607->16608 16609 40474a 16608->16609 16610 40ef7c 3 API calls 16609->16610 16611 40475c 16610->16611 16611->16567 16613 404fac 16612->16613 16616 404fb0 16612->16616 16613->16570 16614 404ffd 16614->16570 16615 404fd5 IsBadCodePtr 16615->16616 16616->16614 16616->16615 16618 4045c1 16617->16618 16619 4045c8 16617->16619 16620 40ebcc 4 API calls 16618->16620 16621 40ebcc 4 API calls 16619->16621 16623 4045e1 16619->16623 16620->16619 16621->16623 16622 404691 16622->16594 16623->16622 16624 40ef7c 3 API calls 16623->16624 16624->16623 16640 402d21 GetModuleHandleA 16625->16640 16628 402fcf GetProcessHeap HeapFree 16632 402f44 16628->16632 16629 402f4f 16630 402f6b GetProcessHeap HeapFree 16629->16630 16630->16632 16631 402f85 16631->16628 16632->16470 16634 403900 16633->16634 16635 403980 16633->16635 16636 4030fa 4 API calls 16634->16636 16635->16468 16638 40390a 16636->16638 16637 40391b GetCurrentThreadId 16637->16638 16638->16635 16638->16637 16639 403939 GetCurrentThreadId 16638->16639 16639->16638 16641 402d46 LoadLibraryA 16640->16641 16642 402d5b GetProcAddress 16640->16642 16641->16642 16644 402d54 16641->16644 16642->16644 16646 402d6b 16642->16646 16643 402d97 GetProcessHeap HeapAlloc 16643->16644 16643->16646 16644->16629 16644->16631 16644->16632 16645 402db5 lstrcpynA 16645->16646 16646->16643 16646->16644 16646->16645 16648 40adbf 16647->16648 16672 40ad08 gethostname 16648->16672 16651 4030b5 2 API calls 16652 40add3 16651->16652 16653 40a7a3 inet_ntoa 16652->16653 16660 40ade4 16652->16660 16653->16660 16654 40ae85 wsprintfA 16655 40ef7c 3 API calls 16654->16655 16657 40aebb 16655->16657 16656 40ae36 wsprintfA wsprintfA 16658 40ef7c 3 API calls 16656->16658 16659 40ef7c 3 API calls 16657->16659 16658->16660 16661 40aed2 16659->16661 16660->16654 16660->16656 16662 40b211 16661->16662 16663 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16662->16663 16664 40b2af GetLocalTime 16662->16664 16665 40b2d2 16663->16665 16664->16665 16666 40b2d9 SystemTimeToFileTime 16665->16666 16667 40b31c GetTimeZoneInformation 16665->16667 16668 40b2ec 16666->16668 16669 40b33a wsprintfA 16667->16669 16670 40b312 FileTimeToSystemTime 16668->16670 16669->16519 16670->16667 16673 40ad71 16672->16673 16674 40ad26 lstrlenA 16672->16674 16676 40ad85 16673->16676 16677 40ad79 lstrcpyA 16673->16677 16674->16673 16678 40ad68 lstrlenA 16674->16678 16676->16651 16677->16676 16678->16673 16680 40f428 14 API calls 16679->16680 16681 40198a 16680->16681 16682 401990 closesocket 16681->16682 16683 401998 16681->16683 16682->16683 16683->16272 16685 402d21 6 API calls 16684->16685 16686 402f01 16685->16686 16687 402f0f 16686->16687 16700 402df2 GetModuleHandleA 16686->16700 16689 402684 2 API calls 16687->16689 16691 402f1f 16687->16691 16690 402f1d 16689->16690 16690->16274 16691->16274 16696 401c80 16692->16696 16693 401d1c 16693->16693 16697 401d47 wsprintfA 16693->16697 16694 401cc2 wsprintfA 16695 402684 2 API calls 16694->16695 16695->16696 16696->16693 16696->16694 16699 401d79 16696->16699 16698 402684 2 API calls 16697->16698 16698->16699 16699->16270 16701 402e10 LoadLibraryA 16700->16701 16702 402e0b 16700->16702 16703 402e17 16701->16703 16702->16701 16702->16703 16704 402ef1 16703->16704 16705 402e28 GetProcAddress 16703->16705 16704->16687 16705->16704 16706 402e3e GetProcessHeap HeapAlloc 16705->16706 16708 402e62 16706->16708 16707 402ede GetProcessHeap HeapFree 16707->16704 16708->16704 16708->16707 16709 402e7f htons inet_addr 16708->16709 16710 402ea5 gethostbyname 16708->16710 16712 402ceb 16708->16712 16709->16708 16709->16710 16710->16708 16714 402cf2 16712->16714 16715 402d1c 16714->16715 16716 402d0e Sleep 16714->16716 16717 402a62 GetProcessHeap HeapAlloc 16714->16717 16715->16708 16716->16714 16716->16715 16718 402a92 16717->16718 16719 402a99 socket 16717->16719 16718->16714 16720 402cd3 GetProcessHeap HeapFree 16719->16720 16721 402ab4 16719->16721 16720->16718 16721->16720 16735 402abd 16721->16735 16722 402adb htons 16737 4026ff 16722->16737 16724 402b04 select 16724->16735 16725 402ca4 16726 402cb3 GetProcessHeap HeapFree closesocket 16725->16726 16726->16718 16727 402b3f recv 16727->16735 16728 402b66 htons 16728->16725 16728->16735 16729 402b87 htons 16729->16725 16729->16735 16732 402bf3 GetProcessHeap HeapAlloc 16732->16735 16733 402c17 htons 16752 402871 16733->16752 16735->16722 16735->16724 16735->16725 16735->16726 16735->16727 16735->16728 16735->16729 16735->16732 16735->16733 16736 402c4d GetProcessHeap HeapFree 16735->16736 16744 402923 16735->16744 16756 402904 16735->16756 16736->16735 16738 40271d 16737->16738 16739 402717 16737->16739 16741 40272b GetTickCount htons 16738->16741 16740 40ebcc 4 API calls 16739->16740 16740->16738 16742 4027cc htons htons sendto 16741->16742 16743 40278a 16741->16743 16742->16735 16743->16742 16745 402944 16744->16745 16747 40293d 16744->16747 16760 402816 htons 16745->16760 16747->16735 16748 402950 16748->16747 16749 402871 htons 16748->16749 16750 4029bd htons htons htons 16748->16750 16749->16748 16750->16747 16751 4029f6 GetProcessHeap HeapAlloc 16750->16751 16751->16747 16751->16748 16753 4028e3 16752->16753 16755 402889 16752->16755 16753->16735 16754 4028c3 htons 16754->16753 16754->16755 16755->16753 16755->16754 16757 402921 16756->16757 16758 402908 16756->16758 16757->16735 16759 402909 GetProcessHeap HeapFree 16758->16759 16759->16757 16759->16759 16761 40286b 16760->16761 16762 402836 16760->16762 16761->16748 16762->16761 16763 40285c htons 16762->16763 16763->16761 16763->16762 16765 406bbc 16764->16765 16766 406bc0 16764->16766 16765->16304 16767 40ebcc 4 API calls 16766->16767 16777 406bd4 16766->16777 16768 406be4 16767->16768 16769 406c07 CreateFileA 16768->16769 16770 406bfc 16768->16770 16768->16777 16771 406c34 WriteFile 16769->16771 16772 406c2a 16769->16772 16773 40ec2e codecvt 4 API calls 16770->16773 16775 406c49 CloseHandle DeleteFileA 16771->16775 16776 406c5a CloseHandle 16771->16776 16774 40ec2e codecvt 4 API calls 16772->16774 16773->16777 16774->16777 16775->16772 16778 40ec2e codecvt 4 API calls 16776->16778 16777->16304 16778->16777 14957 41a770 14960 41a380 14957->14960 14959 41a775 14961 41a3a8 14960->14961 14962 41a438 6 API calls 14961->14962 14970 41a548 14961->14970 14963 41a49f 6 API calls 14962->14963 14964 41a515 GetSystemDefaultLCID 14963->14964 14967 41a524 RtlEnterCriticalSection 14964->14967 14968 41a52f 14964->14968 14965 41a592 GetSystemTimes 14969 41a5b6 14965->14969 14965->14970 14966 41a582 GetUserObjectInformationW 14966->14965 14967->14968 14968->14970 14971 41a538 LoadLibraryW 14968->14971 14972 41a5b4 14969->14972 14973 41a5bf FoldStringW 14969->14973 14970->14965 14970->14966 14970->14972 14971->14970 14974 41a5dd 8 API calls 14972->14974 14975 41a66c GlobalAlloc 14972->14975 14973->14972 14983 41a63c 14974->14983 14976 41a689 14975->14976 14977 41a6bc LoadLibraryW 14975->14977 14976->14977 14987 41a0a0 GetModuleHandleW GetProcAddress VirtualProtect 14977->14987 14980 41a6cc 14988 41a310 14980->14988 14982 41a6e9 GlobalSize 14984 41a6d1 14982->14984 14983->14975 14984->14982 14985 41a713 InterlockedExchange 14984->14985 14986 41a729 14984->14986 14985->14984 14986->14959 14987->14980 14989 41a332 14988->14989 14990 41a326 QueryDosDeviceW 14988->14990 14999 41a1f0 14989->14999 14990->14989 14993 41a345 FreeEnvironmentStringsW 14994 41a34d 14993->14994 15002 41a230 14994->15002 14997 41a364 RtlAllocateHeap GetNumaProcessorNode 14998 41a37a 14997->14998 14998->14984 15000 41a207 GetStartupInfoW LoadLibraryA 14999->15000 15001 41a219 14999->15001 15000->15001 15001->14993 15001->14994 15003 41a265 15002->15003 15004 41a254 BuildCommDCBW 15002->15004 15005 41a283 15003->15005 15006 41a26d WritePrivateProfileStringA UnhandledExceptionFilter 15003->15006 15004->15005 15008 41a2b9 SetCalendarInfoA GetShortPathNameA 15005->15008 15009 41a2e0 15005->15009 15010 41a220 15005->15010 15006->15005 15008->15005 15009->14997 15009->14998 15013 41a1a0 15010->15013 15014 41a1cb 15013->15014 15015 41a1bc VirtualLock 15013->15015 15014->15005 15015->15014 16807 5b9f96 16808 5b9fa5 16807->16808 16811 5ba736 16808->16811 16812 5ba751 16811->16812 16813 5ba75a CreateToolhelp32Snapshot 16812->16813 16814 5ba776 Module32First 16812->16814 16813->16812 16813->16814 16815 5ba785 16814->16815 16817 5b9fae 16814->16817 16818 5ba3f5 16815->16818 16819 5ba420 16818->16819 16820 5ba469 16819->16820 16821 5ba431 VirtualAlloc 16819->16821 16820->16820 16821->16820
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                                        • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                        • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                        • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                                      • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                                      • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                                      • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                                      • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                                      • wsprintfA.USER32 ref: 0040A0B6
                                                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                                      • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                                        • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                                      • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                                      • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                                      • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                                      • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                                                      • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                                      • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                                      • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                                                      • API String ID: 2089075347-2824936573
                                                                                                                      • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                                                      • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                                                      • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                                                      • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 264 41a380-41a3a5 265 41a3a8-41a3ae 264->265 266 41a3b0-41a3ba 265->266 267 41a3bf-41a3c9 265->267 266->267 268 41a3cb-41a3e6 267->268 269 41a3ec-41a3f3 267->269 268->269 269->265 270 41a3f5-41a3fd 269->270 272 41a400-41a406 270->272 273 41a414-41a41e 272->273 274 41a408-41a40e 272->274 275 41a420 273->275 276 41a422-41a429 273->276 274->273 275->276 276->272 277 41a42b-41a432 276->277 278 41a438-41a522 InterlockedDecrement SetConsoleTitleA GlobalSize FindAtomW SearchPathW SetConsoleMode GetDefaultCommConfigW CopyFileExA GetEnvironmentStringsW WriteConsoleOutputW GetNumaHighestNodeNumber DebugActiveProcessStop GetSystemDefaultLCID 277->278 279 41a56a-41a576 277->279 286 41a524-41a529 RtlEnterCriticalSection 278->286 287 41a52f-41a536 278->287 280 41a578-41a580 279->280 284 41a592-41a5a9 GetSystemTimes 280->284 285 41a582-41a58c GetUserObjectInformationW 280->285 288 41a5b6-41a5bd 284->288 289 41a5ab-41a5b2 284->289 285->284 286->287 290 41a548-41a567 287->290 291 41a538-41a542 LoadLibraryW 287->291 293 41a5cf-41a5d7 288->293 294 41a5bf-41a5c9 FoldStringW 288->294 289->280 292 41a5b4 289->292 290->279 291->290 292->293 295 41a5dd-41a666 GetConsoleAliasesLengthW CallNamedPipeA GetComputerNameW CopyFileA GetFileAttributesW GetConsoleAliasExesLengthW OpenWaitableTimerA GetBinaryTypeW 293->295 296 41a66c-41a687 GlobalAlloc 293->296 294->293 295->296 297 41a689-41a694 296->297 298 41a6bc-41a6c7 LoadLibraryW call 41a0a0 296->298 301 41a6a0-41a6b0 297->301 307 41a6cc-41a6df call 41a310 298->307 304 41a6b2 301->304 305 41a6b7-41a6ba 301->305 304->305 305->298 305->301 313 41a6e0-41a6e7 307->313 314 41a6e9-41a6f9 GlobalSize 313->314 315 41a6fd-41a703 313->315 314->315 317 41a705 call 41a090 315->317 318 41a70a-41a711 315->318 317->318 320 41a720-41a727 318->320 321 41a713-41a71a InterlockedExchange 318->321 320->313 323 41a729-41a739 320->323 321->320 325 41a740-41a745 323->325 326 41a747-41a74d 325->326 327 41a74f-41a755 325->327 326->327 329 41a757-41a76b 326->329 327->325 327->329
                                                                                                                      APIs
                                                                                                                      • InterlockedDecrement.KERNEL32(?), ref: 0041A43D
                                                                                                                      • SetConsoleTitleA.KERNEL32(00000000), ref: 0041A445
                                                                                                                      • GlobalSize.KERNEL32(00000000), ref: 0041A44D
                                                                                                                      • FindAtomW.KERNEL32(00000000), ref: 0041A455
                                                                                                                      • SearchPathW.KERNEL32(0041CA08,0041C9CC,0041C98C,00000000,?,?), ref: 0041A479
                                                                                                                      • SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041A483
                                                                                                                      • GetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 0041A4AB
                                                                                                                      • CopyFileExA.KERNEL32(0041CA54,0041CA48,00000000,00000000,00000000,00000000), ref: 0041A4C3
                                                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 0041A4C9
                                                                                                                      • WriteConsoleOutputW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0041A4E8
                                                                                                                      • GetNumaHighestNodeNumber.KERNEL32(?), ref: 0041A4F3
                                                                                                                      • DebugActiveProcessStop.KERNEL32(00000000), ref: 0041A4FB
                                                                                                                      • GetSystemDefaultLCID.KERNEL32 ref: 0041A515
                                                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 0041A529
                                                                                                                      • LoadLibraryW.KERNEL32(00000000), ref: 0041A542
                                                                                                                      • GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041A58C
                                                                                                                      • GetSystemTimes.KERNELBASE(?,?,?), ref: 0041A5A1
                                                                                                                      • FoldStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041A5C9
                                                                                                                      • GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 0041A5EC
                                                                                                                      • CallNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041A5F9
                                                                                                                      • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0041A601
                                                                                                                      • CopyFileA.KERNEL32(0041CAD8,0041CAB0,00000000), ref: 0041A612
                                                                                                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0041A619
                                                                                                                      • GetConsoleAliasExesLengthW.KERNEL32 ref: 0041A61F
                                                                                                                      • OpenWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0041A628
                                                                                                                      • GetBinaryTypeW.KERNEL32(00000000,00000000), ref: 0041A630
                                                                                                                      • GlobalAlloc.KERNELBASE(00000000,004220DC), ref: 0041A66F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594975942.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_415000_uMlLpvdLRU.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Console$File$CopyDefaultGlobalLengthSystem$ActiveAliasAliasesAllocAtomAttributesBinaryCallCommComputerConfigCriticalDebugDecrementEnterEnvironmentExesFindFoldHighestInformationInterlockedLibraryLoadModeNameNamedNodeNumaNumberObjectOpenOutputPathPipeProcessSearchSectionSizeStopStringStringsTimerTimesTitleTypeUserWaitableWrite
                                                                                                                      • String ID: k`$}$
                                                                                                                      • API String ID: 1387190455-956986773
                                                                                                                      • Opcode ID: 0cdf8472348f809f2fd8f217c0fd777b165f73a7af62ccbf81e5d6157e6b6df5
                                                                                                                      • Instruction ID: 37379827b28c5908f82b0116f8609ffbc644b13a744a3271631f23acd6dce4b9
                                                                                                                      • Opcode Fuzzy Hash: 0cdf8472348f809f2fd8f217c0fd777b165f73a7af62ccbf81e5d6157e6b6df5
                                                                                                                      • Instruction Fuzzy Hash: E4A12471A45310AFD320AB61EC49BDF7B68EB4C705F00803AF659961A0C7785985CBEE

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 564 409326-409348 call 401910 GetVersionExA 567 409358-40935c 564->567 568 40934a-409356 564->568 569 409360-40937d GetModuleHandleA GetModuleFileNameA 567->569 568->569 570 409385-4093a2 569->570 571 40937f 569->571 572 4093a4-4093d7 call 402544 wsprintfA 570->572 573 4093d9-409412 call 402544 wsprintfA 570->573 571->570 578 409415-40942c call 40ee2a 572->578 573->578 581 4094a3-4094b3 call 406edd 578->581 582 40942e-409432 578->582 588 4094b9-4094f9 call 402544 RegOpenKeyExA 581->588 589 40962f-409632 581->589 582->581 584 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 582->584 584->581 597 409502-40952e call 402544 RegQueryValueExA 588->597 598 4094fb-409500 588->598 591 409634-409637 589->591 595 409639-40964a call 401820 591->595 596 40967b-409682 591->596 607 40964c-409662 595->607 608 40966d-409679 595->608 600 409683 call 4091eb 596->600 616 409530-409537 597->616 617 409539-409565 call 402544 RegQueryValueExA 597->617 603 40957a-40957f 598->603 611 409688-409690 600->611 612 409581-409584 603->612 613 40958a-40958d 603->613 614 409664-40966b 607->614 615 40962b-40962d 607->615 608->600 619 409692 611->619 620 409698-4096a0 611->620 612->591 612->613 613->596 621 409593-40959a 613->621 614->615 625 4096a2-4096a9 615->625 622 40956e-409577 RegCloseKey 616->622 617->622 633 409567 617->633 619->620 620->625 626 40961a-40961f 621->626 627 40959c-4095a1 621->627 622->603 631 409625 626->631 627->626 628 4095a3-4095c0 call 40f0e4 627->628 637 4095c2-4095db call 4018e0 628->637 638 40960c-409618 628->638 631->615 633->622 637->625 641 4095e1-4095f9 637->641 638->631 641->625 642 4095ff-409607 641->642 642->625
                                                                                                                      APIs
                                                                                                                      • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                                      • wsprintfA.USER32 ref: 004093CE
                                                                                                                      • wsprintfA.USER32 ref: 0040940C
                                                                                                                      • wsprintfA.USER32 ref: 0040948D
                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                      • String ID: PromptOnSecureDesktop$runas
                                                                                                                      • API String ID: 3696105349-2220793183
                                                                                                                      • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                                      • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                                                      • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                                      • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 643 40405e-40407b CreateEventA 644 404084-4040a8 call 403ecd call 404000 643->644 645 40407d-404081 643->645 650 404130-40413e call 40ee2a 644->650 651 4040ae-4040be call 40ee2a 644->651 656 40413f-404165 call 403ecd CreateNamedPipeA 650->656 651->650 657 4040c0-4040f1 call 40eca5 call 403f18 call 403f8c 651->657 662 404167-404174 Sleep 656->662 663 404188-404193 ConnectNamedPipe 656->663 674 4040f3-4040ff 657->674 675 404127-40412a CloseHandle 657->675 662->656 665 404176-404182 CloseHandle 662->665 667 404195-4041a5 GetLastError 663->667 668 4041ab-4041c0 call 403f8c 663->668 665->663 667->668 670 40425e-404265 DisconnectNamedPipe 667->670 668->663 676 4041c2-4041f2 call 403f18 call 403f8c 668->676 670->663 674->675 677 404101-404121 call 403f18 ExitProcess 674->677 675->650 676->670 684 4041f4-404200 676->684 684->670 685 404202-404215 call 403f8c 684->685 685->670 688 404217-40421b 685->688 688->670 689 40421d-404230 call 403f8c 688->689 689->670 692 404232-404236 689->692 692->663 693 40423c-404251 call 403f18 692->693 696 404253-404259 693->696 697 40426a-404276 CloseHandle * 2 call 40e318 693->697 696->663 699 40427b 697->699 699->699
                                                                                                                      APIs
                                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                                      • ExitProcess.KERNEL32 ref: 00404121
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateEventExitProcess
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 2404124870-2980165447
                                                                                                                      • Opcode ID: 7de862f9e9b35a1df311cf9a4407cf261d5ef3a80a072fcdc92d6b04e029e81b
                                                                                                                      • Instruction ID: a90c6c4c2b7f8b8208d93dc1fe438bcf4b3bc6ab1fe170e3c7599fd426c471ab
                                                                                                                      • Opcode Fuzzy Hash: 7de862f9e9b35a1df311cf9a4407cf261d5ef3a80a072fcdc92d6b04e029e81b
                                                                                                                      • Instruction Fuzzy Hash: 3851A3B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 738 406a60-406a89 CreateFileA 739 406b8c-406ba1 GetLastError 738->739 740 406a8f-406ac3 GetDiskFreeSpaceA 738->740 743 406ba3-406ba6 739->743 741 406ac5-406adc call 40eb0e 740->741 742 406b1d-406b34 call 406987 740->742 741->742 750 406ade 741->750 748 406b56-406b63 CloseHandle 742->748 749 406b36-406b54 GetLastError CloseHandle 742->749 752 406b65-406b7d GetLastError CloseHandle 748->752 753 406b86-406b8a 748->753 751 406b7f-406b80 DeleteFileA 749->751 754 406ae0-406ae5 750->754 755 406ae7-406afb call 40eca5 750->755 751->753 752->751 753->743 754->755 756 406afd-406aff 754->756 755->742 756->742 759 406b01 756->759 760 406b03-406b08 759->760 761 406b0a-406b17 call 40eca5 759->761 760->742 760->761 761->742
                                                                                                                      APIs
                                                                                                                      • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                                      • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                                      • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                                      • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 3188212458-2980165447
                                                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                      • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                      • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1209300637-0
                                                                                                                      • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                      • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                                      • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                      • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                                                      APIs
                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005BA75E
                                                                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 005BA77E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595280010.00000000005B9000.00000040.00000020.00020000.00000000.sdmp, Offset: 005B9000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_5b9000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3833638111-0
                                                                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                      • Instruction ID: 0adb77cdc99369f9463b5b6ba448cdc19a057c1994a37b68d8b6ed23f73855f4
                                                                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                      • Instruction Fuzzy Hash: 0FF09631100711AFD7203BF9988DBAE7AF8FF49725F104529E642910C0DF74FC454662
                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                                        • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                                                        • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocateSize
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2559512979-0
                                                                                                                      • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                                      • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                                                      • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                                      • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 331 4073ff-407419 332 40741b 331->332 333 40741d-407422 331->333 332->333 334 407424 333->334 335 407426-40742b 333->335 334->335 336 407430-407435 335->336 337 40742d 335->337 338 407437 336->338 339 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 336->339 337->336 338->339 344 407487-40749d call 40ee2a 339->344 345 4077f9-4077fe call 40ee2a 339->345 350 407703-40770e RegEnumKeyA 344->350 351 407801 345->351 352 4074a2-4074b1 call 406cad 350->352 353 407714-40771d RegCloseKey 350->353 354 407804-407808 351->354 357 4074b7-4074cc call 40f1a5 352->357 358 4076ed-407700 352->358 353->351 357->358 361 4074d2-4074f8 RegOpenKeyExA 357->361 358->350 362 407727-40772a 361->362 363 4074fe-407530 call 402544 RegQueryValueExA 361->363 364 407755-407764 call 40ee2a 362->364 365 40772c-407740 call 40ef00 362->365 363->362 372 407536-40753c 363->372 373 4076df-4076e2 364->373 374 407742-407745 RegCloseKey 365->374 375 40774b-40774e 365->375 376 40753f-407544 372->376 373->358 377 4076e4-4076e7 RegCloseKey 373->377 374->375 379 4077ec-4077f7 RegCloseKey 375->379 376->376 378 407546-40754b 376->378 377->358 378->364 380 407551-40756b call 40ee95 378->380 379->354 380->364 383 407571-407593 call 402544 call 40ee95 380->383 388 407753 383->388 389 407599-4075a0 383->389 388->364 390 4075a2-4075c6 call 40ef00 call 40ed03 389->390 391 4075c8-4075d7 call 40ed03 389->391 397 4075d8-4075da 390->397 391->397 399 4075dc 397->399 400 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 397->400 399->400 409 407626-40762b 400->409 409->409 410 40762d-407634 409->410 411 407637-40763c 410->411 411->411 412 40763e-407642 411->412 413 407644-407656 call 40ed77 412->413 414 40765c-407673 call 40ed23 412->414 413->414 419 407769-40777c call 40ef00 413->419 420 407680 414->420 421 407675-40767e 414->421 426 4077e3-4077e6 RegCloseKey 419->426 423 407683-40768e call 406cad 420->423 421->423 428 407722-407725 423->428 429 407694-4076bf call 40f1a5 call 406c96 423->429 426->379 430 4076dd 428->430 435 4076c1-4076c7 429->435 436 4076d8 429->436 430->373 435->436 437 4076c9-4076d2 435->437 436->430 437->436 438 40777e-407797 GetFileAttributesExA 437->438 439 407799 438->439 440 40779a-40779f 438->440 439->440 441 4077a1 440->441 442 4077a3-4077a8 440->442 441->442 443 4077c4-4077c8 442->443 444 4077aa-4077c0 call 40ee08 442->444 446 4077d7-4077dc 443->446 447 4077ca-4077d6 call 40ef00 443->447 444->443 448 4077e0-4077e2 446->448 449 4077de 446->449 447->446 448->426 449->448
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 00407472
                                                                                                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 004074F0
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 00407528
                                                                                                                      • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 004076E7
                                                                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 00407717
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 00407745
                                                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 004077EF
                                                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                      • String ID: "$PromptOnSecureDesktop
                                                                                                                      • API String ID: 3433985886-3108538426
                                                                                                                      • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                                      • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                                      • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                                      • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 453 40704c-407071 454 407073 453->454 455 407075-40707a 453->455 454->455 456 40707c 455->456 457 40707e-407083 455->457 456->457 458 407085 457->458 459 407087-40708c 457->459 458->459 460 407090-4070ca call 402544 RegOpenKeyExA 459->460 461 40708e 459->461 464 4070d0-4070f6 call 406dc2 460->464 465 4071b8-4071c8 call 40ee2a 460->465 461->460 470 40719b-4071a9 RegEnumValueA 464->470 471 4071cb-4071cf 465->471 472 4070fb-4070fd 470->472 473 4071af-4071b2 RegCloseKey 470->473 474 40716e-407194 472->474 475 4070ff-407102 472->475 473->465 474->470 475->474 476 407104-407107 475->476 476->474 477 407109-40710d 476->477 477->474 478 40710f-407133 call 402544 call 40eed1 477->478 483 4071d0-407203 call 402544 call 40ee95 call 40ee2a 478->483 484 407139-407145 call 406cad 478->484 499 407205-407212 RegCloseKey 483->499 500 407227-40722e 483->500 490 407147-40715c call 40f1a5 484->490 491 40715e-40716b call 40ee2a 484->491 490->483 490->491 491->474 501 407222-407225 499->501 502 407214-407221 call 40ef00 499->502 503 407230-407256 call 40ef00 call 40ed23 500->503 504 40725b-40728c call 402544 call 40ee95 call 40ee2a 500->504 501->471 502->501 503->504 516 407258 503->516 518 4072b8-4072cb call 40ed77 504->518 519 40728e-40729a RegCloseKey 504->519 516->504 526 4072dd-4072f4 call 40ed23 518->526 527 4072cd-4072d8 RegCloseKey 518->527 520 4072aa-4072b3 519->520 521 40729c-4072a9 call 40ef00 519->521 520->471 521->520 530 407301 526->530 531 4072f6-4072ff 526->531 527->471 532 407304-40730f call 406cad 530->532 531->532 535 407311-40731d RegCloseKey 532->535 536 407335-40735d call 406c96 532->536 537 40732d-407330 535->537 538 40731f-40732c call 40ef00 535->538 543 4073d5-4073e2 RegCloseKey 536->543 544 40735f-407365 536->544 537->520 538->537 545 4073f2-4073f7 543->545 546 4073e4-4073f1 call 40ef00 543->546 544->543 547 407367-407370 544->547 546->545 547->543 548 407372-40737c 547->548 550 40739d-4073a2 548->550 551 40737e-407395 GetFileAttributesExA 548->551 554 4073a4 550->554 555 4073a6-4073a9 550->555 551->550 553 407397 551->553 553->550 554->555 556 4073b9-4073bc 555->556 557 4073ab-4073b8 call 40ef00 555->557 559 4073cb-4073cd 556->559 560 4073be-4073ca call 40ef00 556->560 557->556 559->543 560->559
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 004070C2
                                                                                                                      • RegEnumValueA.KERNELBASE(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 0040719E
                                                                                                                      • RegCloseKey.KERNELBASE(76230F10,?,76230F10,00000000), ref: 004071B2
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00407208
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00407291
                                                                                                                      • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 004072D0
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00407314
                                                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 004073D8
                                                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                                      • String ID: $"$PromptOnSecureDesktop
                                                                                                                      • API String ID: 4293430545-98143240
                                                                                                                      • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                                      • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                                      • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                                      • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 700 40675c-406778 701 406784-4067a2 CreateFileA 700->701 702 40677a-40677e SetFileAttributesA 700->702 703 4067a4-4067b2 CreateFileA 701->703 704 4067b5-4067b8 701->704 702->701 703->704 705 4067c5-4067c9 704->705 706 4067ba-4067bf SetFileAttributesA 704->706 707 406977-406986 705->707 708 4067cf-4067df GetFileSize 705->708 706->705 709 4067e5-4067e7 708->709 710 40696b 708->710 709->710 712 4067ed-40680b ReadFile 709->712 711 40696e-406971 CloseHandle 710->711 711->707 712->710 713 406811-406824 SetFilePointer 712->713 713->710 714 40682a-406842 ReadFile 713->714 714->710 715 406848-406861 SetFilePointer 714->715 715->710 716 406867-406876 715->716 717 4068d5-4068df 716->717 718 406878-40688f ReadFile 716->718 717->711 719 4068e5-4068eb 717->719 720 406891-40689e 718->720 721 4068d2 718->721 722 4068f0-4068fe call 40ebcc 719->722 723 4068ed 719->723 724 4068a0-4068b5 720->724 725 4068b7-4068ba 720->725 721->717 722->710 732 406900-40690b SetFilePointer 722->732 723->722 726 4068bd-4068c3 724->726 725->726 728 4068c5 726->728 729 4068c8-4068ce 726->729 728->729 729->718 731 4068d0 729->731 731->717 733 40695a-406969 call 40ec2e 732->733 734 40690d-406920 ReadFile 732->734 733->711 734->733 736 406922-406958 734->736 736->711
                                                                                                                      APIs
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                                                      • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                                                      • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                                                      • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,76230F10,00000000), ref: 0040688B
                                                                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 00406906
                                                                                                                      • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,76230F10,00000000), ref: 0040691C
                                                                                                                      • CloseHandle.KERNELBASE(000000FF,?,76230F10,00000000), ref: 00406971
                                                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2622201749-0
                                                                                                                      • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                      • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                                      • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                      • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 764 208003c-2080047 765 2080049 764->765 766 208004c-2080263 call 2080a3f call 2080e0f call 2080d90 VirtualAlloc 764->766 765->766 781 208028b-2080292 766->781 782 2080265-2080289 call 2080a69 766->782 783 20802a1-20802b0 781->783 785 20802ce-20803c2 VirtualProtect call 2080cce call 2080ce7 782->785 783->785 786 20802b2-20802cc 783->786 793 20803d1-20803e0 785->793 786->783 794 2080439-20804b8 VirtualFree 793->794 795 20803e2-2080437 call 2080ce7 793->795 797 20804be-20804cd 794->797 798 20805f4-20805fe 794->798 795->793 799 20804d3-20804dd 797->799 800 208077f-2080789 798->800 801 2080604-208060d 798->801 799->798 805 20804e3-2080505 LoadLibraryA 799->805 803 208078b-20807a3 800->803 804 20807a6-20807b0 800->804 801->800 806 2080613-2080637 801->806 803->804 808 208086e-20808be LoadLibraryA 804->808 809 20807b6-20807cb 804->809 810 2080517-2080520 805->810 811 2080507-2080515 805->811 812 208063e-2080648 806->812 816 20808c7-20808f9 808->816 813 20807d2-20807d5 809->813 814 2080526-2080547 810->814 811->814 812->800 815 208064e-208065a 812->815 817 2080824-2080833 813->817 818 20807d7-20807e0 813->818 819 208054d-2080550 814->819 815->800 820 2080660-208066a 815->820 821 20808fb-2080901 816->821 822 2080902-208091d 816->822 828 2080839-208083c 817->828 823 20807e2 818->823 824 20807e4-2080822 818->824 825 20805e0-20805ef 819->825 826 2080556-208056b 819->826 827 208067a-2080689 820->827 821->822 823->817 824->813 825->799 829 208056d 826->829 830 208056f-208057a 826->830 831 208068f-20806b2 827->831 832 2080750-208077a 827->832 828->808 833 208083e-2080847 828->833 829->825 835 208059b-20805bb 830->835 836 208057c-2080599 830->836 837 20806ef-20806fc 831->837 838 20806b4-20806ed 831->838 832->812 839 2080849 833->839 840 208084b-208086c 833->840 847 20805bd-20805db 835->847 836->847 841 208074b 837->841 842 20806fe-2080748 837->842 838->837 839->808 840->828 841->827 842->841 847->819
                                                                                                                      APIs
                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0208024D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual
                                                                                                                      • String ID: cess$kernel32.dll
                                                                                                                      • API String ID: 4275171209-1230238691
                                                                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                      • Instruction ID: 094ada9956a38843da231dd86c67634bf040858582ffe9a2bc1163de5be843d6
                                                                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                      • Instruction Fuzzy Hash: 7D527A75A01229DFDBA4CF58C984BADBBB1BF09304F1480D9E54DAB351DB30AA89DF14

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 848 41a696-41a69d 849 41a6a0-41a6b0 848->849 850 41a6b2 849->850 851 41a6b7-41a6ba 849->851 850->851 851->849 852 41a6bc-41a6df LoadLibraryW call 41a0a0 call 41a310 851->852 857 41a6e0-41a6e7 852->857 858 41a6e9-41a6f9 GlobalSize 857->858 859 41a6fd-41a703 857->859 858->859 860 41a705 call 41a090 859->860 861 41a70a-41a711 859->861 860->861 863 41a720-41a727 861->863 864 41a713-41a71a InterlockedExchange 861->864 863->857 866 41a729-41a739 863->866 864->863 867 41a740-41a745 866->867 868 41a747-41a74d 867->868 869 41a74f-41a755 867->869 868->869 870 41a757-41a76b 868->870 869->867 869->870
                                                                                                                      APIs
                                                                                                                      • LoadLibraryW.KERNELBASE(0041CB10), ref: 0041A6C1
                                                                                                                      • GlobalSize.KERNEL32(00000000), ref: 0041A6EB
                                                                                                                      • InterlockedExchange.KERNEL32(?,00000000), ref: 0041A71A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594975942.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_415000_uMlLpvdLRU.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExchangeGlobalInterlockedLibraryLoadSize
                                                                                                                      • String ID: k`$}$
                                                                                                                      • API String ID: 1230614907-956986773
                                                                                                                      • Opcode ID: ad299a3146fbd31aa4e72491768b5ec2b553fdd1698bae50372d489600919617
                                                                                                                      • Instruction ID: 3691dabe03090a73b08bcf6b98ad8fa90aa58e4902adf23636a8ed1bf61f499c
                                                                                                                      • Opcode Fuzzy Hash: ad299a3146fbd31aa4e72491768b5ec2b553fdd1698bae50372d489600919617
                                                                                                                      • Instruction Fuzzy Hash: 5C1108307462408AC734AB20DC467DFB761EB48315F15443FE6AA962A1CB7894A1C7DF

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                                      • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                                      • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                                        • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                                        • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                                        • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                                        • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                                        • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 4131120076-2980165447
                                                                                                                      • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                                                      • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                                                      • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                                                      • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 887 41a0a0-41a195 GetModuleHandleW GetProcAddress VirtualProtect
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleW.KERNEL32(00421FB0), ref: 0041A13E
                                                                                                                      • GetProcAddress.KERNEL32(00000000,00420720), ref: 0041A171
                                                                                                                      • VirtualProtect.KERNELBASE(00421DFC,004220DC,00000040,?), ref: 0041A190
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594975942.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_415000_uMlLpvdLRU.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2099061454-3916222277
                                                                                                                      • Opcode ID: 66c140271c644cc1f2ccc4ee16bc6603007ca1d7cd4741005967d982a08338d1
                                                                                                                      • Instruction ID: df23f584a4b94a56a47cf0700e1bb303751c1b2e60a1d636fe9a2e96d66d9807
                                                                                                                      • Opcode Fuzzy Hash: 66c140271c644cc1f2ccc4ee16bc6603007ca1d7cd4741005967d982a08338d1
                                                                                                                      • Instruction Fuzzy Hash: 52112964718240DED720CF64FE05B067AF1FBAC784F815238D1548B2B2DBB526468B6D

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 888 404000-404008 889 40400b-40402a CreateFileA 888->889 890 404057 889->890 891 40402c-404035 GetLastError 889->891 892 404059-40405c 890->892 893 404052 891->893 894 404037-40403a 891->894 896 404054-404056 892->896 893->896 894->893 895 40403c-40403f 894->895 895->892 897 404041-404050 Sleep 895->897 897->889 897->893
                                                                                                                      APIs
                                                                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                                                      • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                                                      • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateErrorFileLastSleep
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 408151869-2980165447
                                                                                                                      • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                      • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                                      • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                      • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 898 406987-4069b7 899 4069e0 898->899 900 4069b9-4069be 898->900 902 4069e4-4069fd WriteFile 899->902 900->899 901 4069c0-4069d0 900->901 903 4069d2 901->903 904 4069d5-4069de 901->904 905 406a4d-406a51 902->905 906 4069ff-406a02 902->906 903->904 904->902 908 406a53-406a56 905->908 909 406a59 905->909 906->905 907 406a04-406a08 906->907 911 406a0a-406a0d 907->911 912 406a3c-406a3e 907->912 908->909 910 406a5b-406a5f 909->910 913 406a10-406a2e WriteFile 911->913 912->910 914 406a40-406a4b 913->914 915 406a30-406a33 913->915 914->910 915->914 916 406a35-406a3a 915->916 916->912 916->913
                                                                                                                      APIs
                                                                                                                      • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                                      • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: FileWrite
                                                                                                                      • String ID: ,k@
                                                                                                                      • API String ID: 3934441357-1053005162
                                                                                                                      • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                      • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                                      • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                      • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 918 4091eb-409208 919 409308 918->919 920 40920e-40921c call 40ed03 918->920 922 40930b-40930f 919->922 924 40921e-40922c call 40ed03 920->924 925 40923f-409249 920->925 924->925 932 40922e-409230 924->932 927 409250-409270 call 40ee08 925->927 928 40924b 925->928 933 409272-40927f 927->933 934 4092dd-4092e1 927->934 928->927 935 409233-409238 932->935 936 409281-409285 933->936 937 40929b-40929e 933->937 938 4092e3-4092e5 934->938 939 4092e7-4092e8 934->939 935->935 940 40923a-40923c 935->940 936->936 941 409287 936->941 943 4092a0 937->943 944 40928e-409293 937->944 938->939 942 4092ea-4092ef 938->942 939->934 940->925 941->937 947 4092f1-4092f6 Sleep 942->947 948 4092fc-409302 942->948 949 4092a8-4092ab 943->949 945 409295-409298 944->945 946 409289-40928c 944->946 945->949 950 40929a 945->950 946->944 946->950 947->948 948->919 948->920 951 4092a2-4092a5 949->951 952 4092ad-4092b0 949->952 950->937 953 4092b2 951->953 954 4092a7 951->954 952->953 955 4092bd 952->955 956 4092b5-4092b9 953->956 954->949 957 4092bf-4092db ShellExecuteA 955->957 956->956 958 4092bb 956->958 957->934 959 409310-409324 957->959 958->957 959->922
                                                                                                                      APIs
                                                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                                                      • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ExecuteShellSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4194306370-0
                                                                                                                      • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                                                      • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                                                      • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                                                      • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,02080223,?,?), ref: 02080E19
                                                                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,02080223,?,?), ref: 02080E1E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2340568224-0
                                                                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                      • Instruction ID: 0594162c44c975425590a9f4248303b472abad866a18c321087184769bf3c7dc
                                                                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                      • Instruction Fuzzy Hash: 20D0123214522877D7413A94DC09BCE7B5CDF05B66F008011FB0DD9080C770954046E5
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                        • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                        • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                                        • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1823874839-0
                                                                                                                      • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                      • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                                      • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                      • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                                                      APIs
                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005BA446
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595280010.00000000005B9000.00000040.00000020.00020000.00000000.sdmp, Offset: 005B9000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_5b9000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4275171209-0
                                                                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                      • Instruction ID: 41ca8431402b37fb4b33560d8e28f6fd7751c16f61ee0f9e86efbfcf5c9f8d01
                                                                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                      • Instruction Fuzzy Hash: C7112A79A00208EFDB01DF98C989E98BFF5AB08350F058094F9489B362D771EA50DF81
                                                                                                                      APIs
                                                                                                                      • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                                                      • closesocket.WS2_32(?), ref: 0040CB63
                                                                                                                      • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                                                      • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                                                      • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                                                      • wsprintfA.USER32 ref: 0040CD21
                                                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                                                      • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                                                      • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                                                      • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                                                      • closesocket.WS2_32(?), ref: 0040D56C
                                                                                                                      • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                                                      • ExitProcess.KERNEL32 ref: 0040D583
                                                                                                                      • wsprintfA.USER32 ref: 0040D81F
                                                                                                                        • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                                                      • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                                      • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                                      • API String ID: 562065436-3791576231
                                                                                                                      • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                                                      • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                                                      • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                                                      • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                                      • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                                      • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                                                      • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                                                      • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                                                      • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                                                      • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                                                      • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                                                      • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                                                      • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                                                      • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                                                      • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                                                      • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                                      • API String ID: 2238633743-3228201535
                                                                                                                      • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                      • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                                      • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                      • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                                      APIs
                                                                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                                      • wsprintfA.USER32 ref: 0040B3B7
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                                      • API String ID: 766114626-2976066047
                                                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                      • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                      • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                                      APIs
                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                      • String ID: D
                                                                                                                      • API String ID: 3722657555-2746444292
                                                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                      • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                      • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                                      APIs
                                                                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ExecuteShelllstrlen
                                                                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                                                      • API String ID: 1628651668-1839596206
                                                                                                                      • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                                      • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                                      • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                                      • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                                      APIs
                                                                                                                      • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                                      • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                                      • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                                        • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                                      • API String ID: 4207808166-1381319158
                                                                                                                      • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                                      • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                                                      • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                                      • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 00402A83
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 00402A86
                                                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                                      • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                                      • select.WS2_32 ref: 00402B28
                                                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                                      • htons.WS2_32(?), ref: 00402B71
                                                                                                                      • htons.WS2_32(?), ref: 00402B8C
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1639031587-0
                                                                                                                      • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                                      • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                                      • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                                      • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                                      APIs
                                                                                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                                                                      • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2438460464-0
                                                                                                                      • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                      • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                                      • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                      • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                                      APIs
                                                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                                      • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                      • String ID: *p@
                                                                                                                      • API String ID: 3429775523-2474123842
                                                                                                                      • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                      • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                                      • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                      • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 020865F6
                                                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02086610
                                                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02086631
                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02086652
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1965334864-0
                                                                                                                      • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                                      • Instruction ID: 8f2f23149897569958edf0afc58b27ad45b992c6b2ff9c1b4757461061f986fd
                                                                                                                      • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                                      • Instruction Fuzzy Hash: 38119171600358BFDB21AF65DC0AF9B3FACEB057A5F014024FA09E7250DBB2DD109AA4
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1965334864-0
                                                                                                                      • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                                      • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                                      • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                                      • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                                                      APIs
                                                                                                                      • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                                                      • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                                                        • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                                                        • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3754425949-0
                                                                                                                      • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                                                      • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                                                      • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                                                      • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: .$GetProcAddress.$l
                                                                                                                      • API String ID: 0-2784972518
                                                                                                                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                      • Instruction ID: 761247b40084aa777b878560d26c120f0ea522af0afc58718300f8bafaa69f72
                                                                                                                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                      • Instruction Fuzzy Hash: F5313BB6910709DFDB11DF99C880AAEBBF6FF48324F15405AD881A7310D771EA49CBA4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                                                      • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                                                      • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                                                      • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595280010.00000000005B9000.00000040.00000020.00020000.00000000.sdmp, Offset: 005B9000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_5b9000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                      • Instruction ID: c1a9553dca1298fd443102da148385c740c5326787231f819f24dbc6eebee13c
                                                                                                                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                      • Instruction Fuzzy Hash: B8115A72340204AFD754EE69DC85EA677EAFB89320B298065E904CB312E67AE841C760
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                      • Instruction ID: 62ef794621d5ea3b2d77e87dd9d73198f7d5adc64546af18e458383c1f14b76b
                                                                                                                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                      • Instruction Fuzzy Hash: C701F272A107008FDF22EF20C805BAB33E6FB86316F0540A4D94A97281E770A8498B80
                                                                                                                      APIs
                                                                                                                      • ExitProcess.KERNEL32 ref: 02089E6D
                                                                                                                      • lstrcpy.KERNEL32(?,00000000), ref: 02089FE1
                                                                                                                      • lstrcat.KERNEL32(?,?), ref: 02089FF2
                                                                                                                      • lstrcat.KERNEL32(?,0041070C), ref: 0208A004
                                                                                                                      • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0208A054
                                                                                                                      • DeleteFileA.KERNEL32(?), ref: 0208A09F
                                                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0208A0D6
                                                                                                                      • lstrcpy.KERNEL32 ref: 0208A12F
                                                                                                                      • lstrlen.KERNEL32(00000022), ref: 0208A13C
                                                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 02089F13
                                                                                                                        • Part of subcall function 02087029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02087081
                                                                                                                        • Part of subcall function 02086F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\eafwolca,02087043), ref: 02086F4E
                                                                                                                        • Part of subcall function 02086F30: GetProcAddress.KERNEL32(00000000), ref: 02086F55
                                                                                                                        • Part of subcall function 02086F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02086F7B
                                                                                                                        • Part of subcall function 02086F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02086F92
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0208A1A2
                                                                                                                      • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0208A1C5
                                                                                                                      • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0208A214
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0208A21B
                                                                                                                      • GetDriveTypeA.KERNEL32(?), ref: 0208A265
                                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0208A29F
                                                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 0208A2C5
                                                                                                                      • lstrcat.KERNEL32(?,00000022), ref: 0208A2D9
                                                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 0208A2F4
                                                                                                                      • wsprintfA.USER32 ref: 0208A31D
                                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0208A345
                                                                                                                      • lstrcat.KERNEL32(?,?), ref: 0208A364
                                                                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0208A387
                                                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0208A398
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0208A1D1
                                                                                                                        • Part of subcall function 02089966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0208999D
                                                                                                                        • Part of subcall function 02089966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 020899BD
                                                                                                                        • Part of subcall function 02089966: RegCloseKey.ADVAPI32(?), ref: 020899C6
                                                                                                                      • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0208A3DB
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0208A3E2
                                                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0208A41D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                                      • String ID: "$"$"$D$P$\
                                                                                                                      • API String ID: 1653845638-2605685093
                                                                                                                      • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                                      • Instruction ID: e50d70cb48baee6486e2e3203cd51a62262520df80a5830ac0e732d3276c1df1
                                                                                                                      • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                                      • Instruction Fuzzy Hash: F4F140B1D4035DAFDF22EBA08C88FEF7BBCAB08304F0444A6E645E2141E77596859F65
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02087D21
                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 02087D46
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02087D7D
                                                                                                                      • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02087DA2
                                                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02087DC0
                                                                                                                      • EqualSid.ADVAPI32(?,?), ref: 02087DD1
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 02087DE5
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02087DF3
                                                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02087E03
                                                                                                                      • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02087E12
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 02087E19
                                                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02087E35
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                      • String ID: D$PromptOnSecureDesktop
                                                                                                                      • API String ID: 2976863881-1403908072
                                                                                                                      • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                                      • Instruction ID: c91c96f5e7614949d112064d2daf416f60de55ce0c3a00dbf0d7bca7b5f16cf0
                                                                                                                      • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                                      • Instruction Fuzzy Hash: 95A18B7690021DAFDB12DFA1DC88FEFBBB8FB08304F148169E541E6160D7758A84DB64
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                                      • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                      • String ID: D$PromptOnSecureDesktop
                                                                                                                      • API String ID: 2976863881-1403908072
                                                                                                                      • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                      • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                                      • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                      • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                                      • API String ID: 2400214276-165278494
                                                                                                                      • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                                      • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                                      • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                                      • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                                      APIs
                                                                                                                      • wsprintfA.USER32 ref: 0040A7FB
                                                                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                                      • wsprintfA.USER32 ref: 0040A8AF
                                                                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                                      • wsprintfA.USER32 ref: 0040A8E2
                                                                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                                      • wsprintfA.USER32 ref: 0040A9B9
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                                      • API String ID: 3650048968-2394369944
                                                                                                                      • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                                      • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                                      • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                                      • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                                      APIs
                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 02087A96
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02087ACD
                                                                                                                      • GetLengthSid.ADVAPI32(?), ref: 02087ADF
                                                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02087B01
                                                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02087B1F
                                                                                                                      • EqualSid.ADVAPI32(?,?), ref: 02087B39
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 02087B4A
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02087B58
                                                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02087B68
                                                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02087B77
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 02087B7E
                                                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02087B9A
                                                                                                                      • GetAce.ADVAPI32(?,?,?), ref: 02087BCA
                                                                                                                      • EqualSid.ADVAPI32(?,?), ref: 02087BF1
                                                                                                                      • DeleteAce.ADVAPI32(?,?), ref: 02087C0A
                                                                                                                      • EqualSid.ADVAPI32(?,?), ref: 02087C2C
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 02087CB1
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02087CBF
                                                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02087CD0
                                                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02087CE0
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 02087CEE
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                      • String ID: D
                                                                                                                      • API String ID: 3722657555-2746444292
                                                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                      • Instruction ID: 991c8fe0ae6e99c1eaf19421a5fa049f30636ebbda74af3405e4848decb59f10
                                                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                      • Instruction Fuzzy Hash: B0816C75900209AFDB12DFA4DD84FEFBBB8BF08304F14806AE645E7160DB759641DB64
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                                      • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                                      • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                                      • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Value$CloseOpenQuery
                                                                                                                      • String ID: PromptOnSecureDesktop$localcfg
                                                                                                                      • API String ID: 237177642-1678164370
                                                                                                                      • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                                                      • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                                      • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                                                      • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                                      APIs
                                                                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                                      • API String ID: 835516345-270533642
                                                                                                                      • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                      • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                                      • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                      • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0208865A
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0208867B
                                                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 020886A8
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 020886B1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Value$CloseOpenQuery
                                                                                                                      • String ID: "$PromptOnSecureDesktop
                                                                                                                      • API String ID: 237177642-3108538426
                                                                                                                      • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                                      • Instruction ID: bc47f7fb476407937a73f3e942d2dbb13ee43b126af854ff649f120592a1976a
                                                                                                                      • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                                      • Instruction Fuzzy Hash: A6C1A37190034DBEEB52BBA4DD84EEF7BBDEB04300F548065F685E2050E7B04A94AF65
                                                                                                                      APIs
                                                                                                                      • ShellExecuteExW.SHELL32(?), ref: 02081601
                                                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 020817D8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ExecuteShelllstrlen
                                                                                                                      • String ID: $<$@$D
                                                                                                                      • API String ID: 1628651668-1974347203
                                                                                                                      • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                                      • Instruction ID: 0f6bd7a36943a8d09cdd4f973a34866938da563235029bb0c1e0df911e7ca785
                                                                                                                      • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                                      • Instruction Fuzzy Hash: 35F168B15083419FD721EF64C888BABBBE5FF88304F00892DF6DA97290D7B49945CB56
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 020876D9
                                                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02087757
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0208778F
                                                                                                                      • ___ascii_stricmp.LIBCMT ref: 020878B4
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0208794E
                                                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0208796D
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0208797E
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 020879AC
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 02087A56
                                                                                                                        • Part of subcall function 0208F40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,0208772A,?), ref: 0208F414
                                                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 020879F6
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 02087A4D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                      • String ID: "$PromptOnSecureDesktop
                                                                                                                      • API String ID: 3433985886-3108538426
                                                                                                                      • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                                      • Instruction ID: b3e6dedc1450e185f6d10526c236965bbc9473b30d983d21b0d16372f6b917c8
                                                                                                                      • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                                      • Instruction Fuzzy Hash: D3C1B675900319AFDB12ABA4DC44FEFBBB9EF49310F2400A5E584E6164EB71DA80DF60
                                                                                                                      APIs
                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02082CED
                                                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 02082D07
                                                                                                                      • htons.WS2_32(00000000), ref: 02082D42
                                                                                                                      • select.WS2_32 ref: 02082D8F
                                                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 02082DB1
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02082E62
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 127016686-0
                                                                                                                      • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                                      • Instruction ID: e6a871217094e9b3b903aa19e4cc1c22140071cf43365d648cdeb6415f53aa08
                                                                                                                      • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                                      • Instruction Fuzzy Hash: 0161D072504385AFC321BF64DC08BABBBE8EB48745F004819FDC497251D7B5D880EBAA
                                                                                                                      APIs
                                                                                                                      • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                                        • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                        • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                        • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                                        • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                                      • wsprintfA.USER32 ref: 0040AEA5
                                                                                                                        • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                                      • wsprintfA.USER32 ref: 0040AE4F
                                                                                                                      • wsprintfA.USER32 ref: 0040AE5E
                                                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                                      • API String ID: 3631595830-1816598006
                                                                                                                      • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                                      • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                                      • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                                      • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                                      • htons.WS2_32(00000035), ref: 00402E88
                                                                                                                      • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                                      • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                                      • API String ID: 929413710-2099955842
                                                                                                                      • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                      • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                                      • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                      • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                                      APIs
                                                                                                                      • GetVersionExA.KERNEL32(?), ref: 020895A7
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 020895D5
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 020895DC
                                                                                                                      • wsprintfA.USER32 ref: 02089635
                                                                                                                      • wsprintfA.USER32 ref: 02089673
                                                                                                                      • wsprintfA.USER32 ref: 020896F4
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02089758
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0208978D
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 020897D8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 3696105349-2980165447
                                                                                                                      • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                                      • Instruction ID: c58be2975ff8c26e661c0a9a8f1dca7667c0a6d6902cc6766e0e1fa697224ab6
                                                                                                                      • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                                      • Instruction Fuzzy Hash: 2BA159B190034CAFEB21EFA1CC45FEF3BADAB04741F104026FA55A6251E7B595849FA4
                                                                                                                      APIs
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcmpi
                                                                                                                      • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                                                      • API String ID: 1586166983-142018493
                                                                                                                      • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                                      • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                                      • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                                      • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                                      APIs
                                                                                                                      • wsprintfA.USER32 ref: 0040B467
                                                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$wsprintf
                                                                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                                      • API String ID: 1220175532-2340906255
                                                                                                                      • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                      • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                                      • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                      • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                                      APIs
                                                                                                                      • GetVersionExA.KERNEL32 ref: 0208202D
                                                                                                                      • GetSystemInfo.KERNEL32(?), ref: 0208204F
                                                                                                                      • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0208206A
                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02082071
                                                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 02082082
                                                                                                                      • GetTickCount.KERNEL32 ref: 02082230
                                                                                                                        • Part of subcall function 02081E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 02081E7C
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                      • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                                                      • API String ID: 4207808166-1391650218
                                                                                                                      • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                                      • Instruction ID: 2364e96a5c8d2ab1394b859847e1d09051a5a8d5f15e41134ac96f0206ec9e24
                                                                                                                      • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                                      • Instruction Fuzzy Hash: 6B51A3B0900344AFE370BF758C85FA7BAECEB55704F00492DFAD682142D7B9A584DB65
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 00402078
                                                                                                                      • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                                      • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                                      • GetTickCount.KERNEL32 ref: 00402132
                                                                                                                      • GetTickCount.KERNEL32 ref: 00402142
                                                                                                                        • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                                                        • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                                                        • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                                        • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                                        • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                                      • API String ID: 3976553417-1522128867
                                                                                                                      • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                      • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                                      • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                      • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                                      APIs
                                                                                                                      • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                                      • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: closesockethtonssocket
                                                                                                                      • String ID: time_cfg
                                                                                                                      • API String ID: 311057483-2401304539
                                                                                                                      • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                                      • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                                      • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                                      • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                        • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                                      • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 1553760989-1857712256
                                                                                                                      • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                      • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                                      • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                      • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02083068
                                                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02083078
                                                                                                                      • GetProcAddress.KERNEL32(00000000,00410408), ref: 02083095
                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 020830B6
                                                                                                                      • htons.WS2_32(00000035), ref: 020830EF
                                                                                                                      • inet_addr.WS2_32(?), ref: 020830FA
                                                                                                                      • gethostbyname.WS2_32(?), ref: 0208310D
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 0208314D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                      • String ID: iphlpapi.dll
                                                                                                                      • API String ID: 2869546040-3565520932
                                                                                                                      • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                                      • Instruction ID: eeffcc8ca208f68e89b0066492fda497da2aee10249669ccbcdfbe4c173ffa14
                                                                                                                      • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                                      • Instruction Fuzzy Hash: 7C31D331A00306ABDF52ABB8DC48BBF77F8AF84F24F1441A5E558E3290DB74D5819B58
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                      • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                                                                      • API String ID: 3560063639-3847274415
                                                                                                                      • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                                      • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                                      • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                                      • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                                                      • API String ID: 1082366364-2834986871
                                                                                                                      • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                                      • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                                      • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                                      • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                                      APIs
                                                                                                                      • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                                                      • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                                                      • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                      • String ID: D$PromptOnSecureDesktop
                                                                                                                      • API String ID: 2981417381-1403908072
                                                                                                                      • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                                      • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                                      • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                                      • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                                                      APIs
                                                                                                                      • IsBadReadPtr.KERNEL32(?,00000008), ref: 020867C3
                                                                                                                      • htonl.WS2_32(?), ref: 020867DF
                                                                                                                      • htonl.WS2_32(?), ref: 020867EE
                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 020868F1
                                                                                                                      • ExitProcess.KERNEL32 ref: 020869BC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Processhtonl$CurrentExitRead
                                                                                                                      • String ID: except_info$localcfg
                                                                                                                      • API String ID: 1430491713-3605449297
                                                                                                                      • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                                      • Instruction ID: fb5f790557eebdf9d0531b3a12fd1690d7a86f647aff611c5379811f0633af7e
                                                                                                                      • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                                      • Instruction Fuzzy Hash: 39615E71A40308AFDB60AFB4DC45FEA77E9FB08300F148066FAADD2161EB7599909F54
                                                                                                                      APIs
                                                                                                                      • htons.WS2_32(0208CC84), ref: 0208F5B4
                                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0208F5CE
                                                                                                                      • closesocket.WS2_32(00000000), ref: 0208F5DC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: closesockethtonssocket
                                                                                                                      • String ID: time_cfg
                                                                                                                      • API String ID: 311057483-2401304539
                                                                                                                      • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                                      • Instruction ID: f2fa2add3c1d964694db8bd94245ff0733faee41245f38ef13adea976e3f5593
                                                                                                                      • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                                      • Instruction Fuzzy Hash: EC315A72900219ABDB11AFB5DC889EF7BBCEB88350F104566FA45E3150E7708A919BA4
                                                                                                                      APIs
                                                                                                                      • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                                      • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                                      • wsprintfA.USER32 ref: 00407036
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                                      • String ID: /%d$|
                                                                                                                      • API String ID: 676856371-4124749705
                                                                                                                      • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                                      • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                                      • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                                      • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 02082FA1
                                                                                                                      • LoadLibraryA.KERNEL32(?), ref: 02082FB1
                                                                                                                      • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02082FC8
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02083000
                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02083007
                                                                                                                      • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02083032
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                      • String ID: dnsapi.dll
                                                                                                                      • API String ID: 1242400761-3175542204
                                                                                                                      • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                                      • Instruction ID: f3fc77bd00f95d34168370d4fc717fbddc257c3a9fb1d10f28fa8cc22fd05e79
                                                                                                                      • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                                      • Instruction Fuzzy Hash: 0B219271D00729BBCB22AB94DC48AEFBBB8EF48B14F004461F941E7141D7B49A81DBD4
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\eafwolca,02087043), ref: 02086F4E
                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02086F55
                                                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02086F7B
                                                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02086F92
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                      • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\eafwolca
                                                                                                                      • API String ID: 1082366364-3864767741
                                                                                                                      • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                                      • Instruction ID: c0bd8873821a63704d3387d6d9b9e99f63c7b9e3e795c2ef59342c5f425780fa
                                                                                                                      • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                                      • Instruction Fuzzy Hash: 902104617403407DF76373319C8CFFB2E8C8B52724F2840A5F984D6591DBD984D6966D
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Code
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 3609698214-2980165447
                                                                                                                      • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                      • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                                      • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                      • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                                      APIs
                                                                                                                      • GetTempPathA.KERNEL32(00000400,?), ref: 020892E2
                                                                                                                      • wsprintfA.USER32 ref: 02089350
                                                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02089375
                                                                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 02089389
                                                                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 02089394
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0208939B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 2439722600-2980165447
                                                                                                                      • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                                      • Instruction ID: 8cbabf148e6aa2465cd4a58c27dc0634c28c63623dd077f2c4927a69c44838fb
                                                                                                                      • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                                      • Instruction Fuzzy Hash: DB1172B27406247BE7207732EC0DFEF3A6EDBC8B11F008065BB49A5191EBB44A459B64
                                                                                                                      APIs
                                                                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                                      • wsprintfA.USER32 ref: 004090E9
                                                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 2439722600-2980165447
                                                                                                                      • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                                      • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                                      • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                                      • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                                      APIs
                                                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02089A18
                                                                                                                      • GetThreadContext.KERNEL32(?,?), ref: 02089A52
                                                                                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 02089A60
                                                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02089A98
                                                                                                                      • SetThreadContext.KERNEL32(?,00010002), ref: 02089AB5
                                                                                                                      • ResumeThread.KERNEL32(?), ref: 02089AC2
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                      • String ID: D
                                                                                                                      • API String ID: 2981417381-2746444292
                                                                                                                      • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                                      • Instruction ID: 17c4471a119d96f0040c32f6f5c15383d851344a2d2f07ced2f440c76a4e044b
                                                                                                                      • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                                      • Instruction Fuzzy Hash: EE216BB1A01219BBDB12ABA1DC08EEF7BBCEF04750F404061FA19E1150E7718A40DBA4
                                                                                                                      APIs
                                                                                                                      • inet_addr.WS2_32(004102D8), ref: 02081C18
                                                                                                                      • LoadLibraryA.KERNEL32(004102C8), ref: 02081C26
                                                                                                                      • GetProcessHeap.KERNEL32 ref: 02081C84
                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02081C9D
                                                                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02081CC1
                                                                                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 02081D02
                                                                                                                      • FreeLibrary.KERNEL32(?), ref: 02081D0B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2324436984-0
                                                                                                                      • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                                      • Instruction ID: 49cc952ca1260fe180e50dfde48c7bbb928e0981796092fa327e2b617c756526
                                                                                                                      • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                                      • Instruction Fuzzy Hash: 15315E32D00309BFCB52AFA4DC889AFFBF9EF45305B24447AE549A2110D7B54E81EB94
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                                      • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: QueryValue$CloseOpen
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 1586453840-2980165447
                                                                                                                      • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                                      • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                                      • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                                      • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                                      APIs
                                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                                                      • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                                      • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandle$CreateEvent
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 1371578007-2980165447
                                                                                                                      • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                      • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                                      • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                      • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                                                      APIs
                                                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02086CE4
                                                                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02086D22
                                                                                                                      • GetLastError.KERNEL32 ref: 02086DA7
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 02086DB5
                                                                                                                      • GetLastError.KERNEL32 ref: 02086DD6
                                                                                                                      • DeleteFileA.KERNEL32(?), ref: 02086DE7
                                                                                                                      • GetLastError.KERNEL32 ref: 02086DFD
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3873183294-0
                                                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                      • Instruction ID: ebd2f88b88f38dec5427a190003c64ab1c93759932554d61670a1a23ff671fa5
                                                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                      • Instruction Fuzzy Hash: 7431EE72D00349BFCB01AFA4DD48ADF7FBDEB48310F158475E291A3211E7728A85AB61
                                                                                                                      APIs
                                                                                                                      • BuildCommDCBW.KERNEL32(00000000,?), ref: 0041A25D
                                                                                                                      • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041A275
                                                                                                                      • UnhandledExceptionFilter.KERNEL32(00000000), ref: 0041A27D
                                                                                                                      • SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,0041C980), ref: 0041A2C4
                                                                                                                      • GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 0041A2D5
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594975942.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_415000_uMlLpvdLRU.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuildCalendarCommExceptionFilterInfoNamePathPrivateProfileShortStringUnhandledWrite
                                                                                                                      • String ID: -
                                                                                                                      • API String ID: 1417380309-2547889144
                                                                                                                      • Opcode ID: 2c70b2e27553c37d51635817894fb92d35fd66a59e975567011c2500a9255d00
                                                                                                                      • Instruction ID: a6596ea4d5d39f75678243f646b5f7fb3d1533af8648bb96340218ed538d7df8
                                                                                                                      • Opcode Fuzzy Hash: 2c70b2e27553c37d51635817894fb92d35fd66a59e975567011c2500a9255d00
                                                                                                                      • Instruction Fuzzy Hash: BA212970745304ABD760DF64EC85BDE7BA4EB0C711F5000E9F709AA2C1CA7519C18B5E
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 020893C6
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 020893CD
                                                                                                                      • CharToOemA.USER32(?,?), ref: 020893DB
                                                                                                                      • wsprintfA.USER32 ref: 02089410
                                                                                                                        • Part of subcall function 020892CB: GetTempPathA.KERNEL32(00000400,?), ref: 020892E2
                                                                                                                        • Part of subcall function 020892CB: wsprintfA.USER32 ref: 02089350
                                                                                                                        • Part of subcall function 020892CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02089375
                                                                                                                        • Part of subcall function 020892CB: lstrlen.KERNEL32(?,?,00000000), ref: 02089389
                                                                                                                        • Part of subcall function 020892CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02089394
                                                                                                                        • Part of subcall function 020892CB: CloseHandle.KERNEL32(00000000), ref: 0208939B
                                                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02089448
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 3857584221-2980165447
                                                                                                                      • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                                      • Instruction ID: 2e060224dcb71bbabad60b893cf483993aae151987f228b44cee016a6e6d59ab
                                                                                                                      • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                                      • Instruction Fuzzy Hash: 8E015EF69002587BDB21A7619D8DEEF3B7CDB95701F0040A2BB49E2080EAB497C58F75
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                                      • CharToOemA.USER32(?,?), ref: 00409174
                                                                                                                      • wsprintfA.USER32 ref: 004091A9
                                                                                                                        • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                                        • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                                        • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                        • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                        • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                        • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 3857584221-2980165447
                                                                                                                      • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                                      • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                                      • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                                      • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen
                                                                                                                      • String ID: $localcfg
                                                                                                                      • API String ID: 1659193697-2018645984
                                                                                                                      • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                                      • Instruction ID: 580edfd530c70db6533a615802e04309f00183adbe2bc6f23c84ccf8a4ece042
                                                                                                                      • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                                      • Instruction Fuzzy Hash: C8715B71B00304AADF72BB54DC85FEF3BA99B00718F244027FA85E6890EF7695C4AB55
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                        • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                                                      • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                                      • String ID: flags_upd$localcfg
                                                                                                                      • API String ID: 204374128-3505511081
                                                                                                                      • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                                      • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                                      • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                                      • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0208DF6C: GetCurrentThreadId.KERNEL32 ref: 0208DFBA
                                                                                                                      • lstrcmp.KERNEL32(00410178,00000000), ref: 0208E8FA
                                                                                                                      • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02086128), ref: 0208E950
                                                                                                                      • lstrcmp.KERNEL32(?,00000008), ref: 0208E989
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                                      • String ID: A$ A$ A
                                                                                                                      • API String ID: 2920362961-1846390581
                                                                                                                      • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                                      • Instruction ID: 0e130995b376facff2f863763d52b2beeb73cc9b622ce95781bb4352be93b439
                                                                                                                      • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                                      • Instruction Fuzzy Hash: EA319E31A00715EBDBB2AF24C884BAB7BE4EB05724F00892AF5D587551D7B0E880EB81
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Code
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3609698214-0
                                                                                                                      • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                                      • Instruction ID: f6772974e50ec96c48ce860673332e4777531919152353c2b25b63134c9cb243
                                                                                                                      • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                                      • Instruction Fuzzy Hash: 7C214D73104219BFDB11BB64FC49EDF3FAEDB49264B118425F542D1091EB71DA40A674
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                                      • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,0040E538,?,76230F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                                      • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3819781495-0
                                                                                                                      • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                      • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                                      • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                      • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 0208C6B4
                                                                                                                      • InterlockedIncrement.KERNEL32(0208C74B), ref: 0208C715
                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0208C747), ref: 0208C728
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,0208C747,00413588,02088A77), ref: 0208C733
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 1026198776-1857712256
                                                                                                                      • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                                      • Instruction ID: ad7802854727092c5cb676bd010c12dd24aeb8aea43383852e170b006bc2d0f2
                                                                                                                      • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                                      • Instruction Fuzzy Hash: 3E515DB1A00B418FE768AF29C58462BBBF9FB48304B50593FE18BC7A90D774E440DB20
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 0040815F
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408187
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 004081BE
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408210
                                                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                                                        • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                                                        • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                                                        • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 124786226-2980165447
                                                                                                                      • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                                                      • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                                      • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                                                      • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                                      APIs
                                                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0208E50A,00000000,00000000,00000000,00020106,00000000,0208E50A,00000000,000000E4), ref: 0208E319
                                                                                                                      • RegSetValueExA.ADVAPI32(0208E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0208E38E
                                                                                                                      • RegDeleteValueA.ADVAPI32(0208E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0208E3BF
                                                                                                                      • RegCloseKey.ADVAPI32(0208E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0208E50A), ref: 0208E3C8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Value$CloseCreateDelete
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 2667537340-2980165447
                                                                                                                      • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                                      • Instruction ID: 5e56b570d59e4ce8178cce3ddfda0903a2687287925dbed8b3ce94cbf59010e2
                                                                                                                      • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                                      • Instruction Fuzzy Hash: 09212D71A00219BBDB21AFA5EC89EDF7FA9EF08750F048061F944A6150E7718A54EB90
                                                                                                                      APIs
                                                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                                      • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                                      • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                                      • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Value$CloseCreateDelete
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 2667537340-2980165447
                                                                                                                      • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                                      • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                                      • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                                      • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                                      APIs
                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 020871E1
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02087228
                                                                                                                      • LocalFree.KERNEL32(?,?,?), ref: 02087286
                                                                                                                      • wsprintfA.USER32 ref: 0208729D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                                      • String ID: |
                                                                                                                      • API String ID: 2539190677-2343686810
                                                                                                                      • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                                      • Instruction ID: a63f57db9597029000ff4f8d0fe4bc5d960c7dc636aaefd909503b73018d6aee
                                                                                                                      • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                                      • Instruction Fuzzy Hash: 2A313A76900209BFDB41EFA8DC49BDB7BACEF04314F148066F859DB214EB75D6488B94
                                                                                                                      APIs
                                                                                                                      • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                                                                      • String ID: LocalHost
                                                                                                                      • API String ID: 3695455745-3154191806
                                                                                                                      • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                      • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                                      • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                      • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                                      APIs
                                                                                                                      • GetLocalTime.KERNEL32(?), ref: 0208B51A
                                                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0208B529
                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0208B548
                                                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0208B590
                                                                                                                      • wsprintfA.USER32 ref: 0208B61E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4026320513-0
                                                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                      • Instruction ID: 89561329c8317dd72b2e9856f366803a62c44ebd6037ee89c6b7e63d2cf666ba
                                                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                      • Instruction Fuzzy Hash: 38512EB1D0021DAACF54DFD5D8885EEBBF9BF48304F10812AF501A6150E7B84AC9DF98
                                                                                                                      APIs
                                                                                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 02086303
                                                                                                                      • LoadLibraryA.KERNEL32(?), ref: 0208632A
                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 020863B1
                                                                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02086405
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2438460464-0
                                                                                                                      • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                                      • Instruction ID: e9a8919af375cf8ded5a946453885d255e92373b06e9554dc47347bc373ff34a
                                                                                                                      • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                                      • Instruction Fuzzy Hash: 8B417C71A00305AFDB55EF58C884BAEB7F8FF05318F168069E995D7290D772E980EB50
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                                      • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                                      • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                                      • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                      • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,00405EC1), ref: 0040E693
                                                                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                                      • lstrcmpA.KERNEL32(?,00000008,?,76230F10,00000000,?,00405EC1), ref: 0040E722
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                                      • String ID: A$ A
                                                                                                                      • API String ID: 3343386518-686259309
                                                                                                                      • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                      • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                                      • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                      • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                                      • htons.WS2_32(00000001), ref: 00402752
                                                                                                                      • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                                      • htons.WS2_32(00000001), ref: 004027E3
                                                                                                                      • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                                        • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                                        • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1128258776-0
                                                                                                                      • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                                      • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                                      • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                                      • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                                      APIs
                                                                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: setsockopt
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3981526788-0
                                                                                                                      • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                      • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                                      • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                      • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                                      APIs
                                                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$lstrcmpi
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 1808961391-1857712256
                                                                                                                      • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                      • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                                      • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                      • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0208DF6C: GetCurrentThreadId.KERNEL32 ref: 0208DFBA
                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,0208A6AC), ref: 0208E7BF
                                                                                                                      • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,0208A6AC), ref: 0208E7EA
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,0208A6AC), ref: 0208E819
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 1396056608-2980165447
                                                                                                                      • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                                      • Instruction ID: 1846aee8e1ad59ae9c0d8563558433b7be7f2c056bde8e2a84dd5e9bb428c570
                                                                                                                      • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                                      • Instruction Fuzzy Hash: B821E5B1A403007EE2217B319C09FEF3E5DDB65B60F100124FA8EA55D3EAA59450AAB5
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 3683885500-2980165447
                                                                                                                      • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                                                      • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                                                      • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                                                      • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                                      • API String ID: 2574300362-1087626847
                                                                                                                      • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                      • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                                      • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                      • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 020876D9
                                                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0208796D
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0208797E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseEnumOpen
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 1332880857-2980165447
                                                                                                                      • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                                      • Instruction ID: 3aa7920e38aeb8f5dc3b253b6c4c272fcea1656b35d38f6cf5b03703f271298b
                                                                                                                      • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                                      • Instruction Fuzzy Hash: 8611DC70A00209AFDB12AFA9DC44FEFBFB9EB91314F240161F551E62A4E3B08950DB60
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                      • String ID: hi_id$localcfg
                                                                                                                      • API String ID: 2777991786-2393279970
                                                                                                                      • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                      • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                                      • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                      • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0208999D
                                                                                                                      • RegDeleteValueA.ADVAPI32(?,00000000), ref: 020899BD
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 020899C6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseDeleteOpenValue
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 849931509-2980165447
                                                                                                                      • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                                      • Instruction ID: fd83014183e0f56e3d990b065027e0b32d58bd00216c49600da3c46b88e24f73
                                                                                                                      • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                                      • Instruction Fuzzy Hash: 6AF0F6B2680218BFF7117B55EC06FDF3A2CDB94B14F100060FA45B5081F6E59A9096B9
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                                                      • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                                                      • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseDeleteOpenValue
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 849931509-2980165447
                                                                                                                      • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                                                      • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                                                      • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                                                      • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: gethostbynameinet_addr
                                                                                                                      • String ID: time_cfg$u6A
                                                                                                                      • API String ID: 1594361348-1940331995
                                                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                      • Instruction ID: 9faf818588b09c7dd415d233e9ad87b8e3038c083b23a76e77bddff0786243d5
                                                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                      • Instruction Fuzzy Hash: 4BE0C230605251DFCB81AB2CF848AC637E4EF0A230F008180F8C0C31A0CB34DCC0A740
                                                                                                                      APIs
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 020869E5
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 02086A26
                                                                                                                      • GetFileSize.KERNEL32(000000FF,00000000), ref: 02086A3A
                                                                                                                      • CloseHandle.KERNEL32(000000FF), ref: 02086BD8
                                                                                                                        • Part of subcall function 0208EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02081DCF,?), ref: 0208EEA8
                                                                                                                        • Part of subcall function 0208EE95: HeapFree.KERNEL32(00000000), ref: 0208EEAF
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3384756699-0
                                                                                                                      • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                                      • Instruction ID: 6543dae48372f8aac3f293bc485867bc7e60c65d638edd194f6fb80bd77aa19d
                                                                                                                      • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                                      • Instruction Fuzzy Hash: 8671377190021DEFDF11EFA4CC81AEEBBB9FB04318F10456AE555A6290D7319E92EB60
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf
                                                                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                                      • API String ID: 2111968516-120809033
                                                                                                                      • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                      • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                                      • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                      • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                                      APIs
                                                                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 020841AB
                                                                                                                      • GetLastError.KERNEL32 ref: 020841B5
                                                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 020841C6
                                                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 020841D9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3373104450-0
                                                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                      • Instruction ID: 84ab2b3d483db2de3ddd0446ba7fcca05cf9655ab7f64e9b7cb64f8a249f7f82
                                                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                      • Instruction Fuzzy Hash: 9501CC7651120AAFDF01EF91ED84BEF7BACEB18255F104061F901E2050D774DA549BB5
                                                                                                                      APIs
                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0208421F
                                                                                                                      • GetLastError.KERNEL32 ref: 02084229
                                                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 0208423A
                                                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0208424D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 888215731-0
                                                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                      • Instruction ID: 76e4934d3476f9001860cbae04dd53a185140269f848e10cc5c46de5c8c97336
                                                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                      • Instruction Fuzzy Hash: F501087251520AAFDF02EF90ED84BEF7BACEB08255F418061F901E2050D770DA549BB6
                                                                                                                      APIs
                                                                                                                      • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                                      • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3373104450-0
                                                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                      • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                      • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                                      APIs
                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                                      • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 888215731-0
                                                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                      • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                      • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                                      APIs
                                                                                                                      • lstrcmp.KERNEL32(?,80000009), ref: 0208E066
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcmp
                                                                                                                      • String ID: A$ A$ A
                                                                                                                      • API String ID: 1534048567-1846390581
                                                                                                                      • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                                      • Instruction ID: 9e9754b466fccb918e933cc051f2bbb5acf9e05625caaf8e0252586d648b7226
                                                                                                                      • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                                      • Instruction Fuzzy Hash: D8F0CD322003069BCB62DF64DC84A83B7E8FB09325B048A2AF698C3060D370F4D8CF55
                                                                                                                      APIs
                                                                                                                      • QueryDosDeviceW.KERNEL32(00000000,00000000,00000000,00000000,0041B044,0041A6D1), ref: 0041A32C
                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000,00000000,0041B044,0041A6D1), ref: 0041A347
                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0041A36A
                                                                                                                      • GetNumaProcessorNode.KERNEL32(00000000,00000000), ref: 0041A374
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594975942.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_415000_uMlLpvdLRU.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2305449109-0
                                                                                                                      • Opcode ID: 817948169098ee1c181d8f2d6ff3379bb376ad68d85d1d4e020b05e7d4706848
                                                                                                                      • Instruction ID: 6d2837cc59693e195cef3f5a479ad1203b8954106daa288a17772126bb345ff7
                                                                                                                      • Opcode Fuzzy Hash: 817948169098ee1c181d8f2d6ff3379bb376ad68d85d1d4e020b05e7d4706848
                                                                                                                      • Instruction Fuzzy Hash: 60F0FE31785204FBEA30A7A4ED4AF963764E718716F508032F715A92E0D6A42895CE6E
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                                      • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2207858713-0
                                                                                                                      • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                      • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                                      • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                      • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                                      • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2207858713-0
                                                                                                                      • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                      • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                                      • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                      • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                                      • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                                      • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                                      • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2207858713-0
                                                                                                                      • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                      • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                                      • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                      • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 00403103
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                                      • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2207858713-0
                                                                                                                      • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                      • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                                      • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                      • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                                      APIs
                                                                                                                      • WriteFile.KERNEL32(00000001,020844E2,00000000,00000000,00000000), ref: 0208E470
                                                                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 0208E484
                                                                                                                        • Part of subcall function 0208E2FC: RegCreateKeyExA.ADVAPI32(80000001,0208E50A,00000000,00000000,00000000,00020106,00000000,0208E50A,00000000,000000E4), ref: 0208E319
                                                                                                                        • Part of subcall function 0208E2FC: RegSetValueExA.ADVAPI32(0208E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0208E38E
                                                                                                                        • Part of subcall function 0208E2FC: RegDeleteValueA.ADVAPI32(0208E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0208E3BF
                                                                                                                        • Part of subcall function 0208E2FC: RegCloseKey.ADVAPI32(0208E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0208E50A), ref: 0208E3C8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 4151426672-2980165447
                                                                                                                      • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                                      • Instruction ID: 2b98ff685954140c816a65b74b25de078f968a8bf133daad0dd8e89027b85047
                                                                                                                      • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                                      • Instruction Fuzzy Hash: 4E41A4B2900314BBEB217E61CC45FEB3BADEB04724F148035FE49A4191E7B58650EAA5
                                                                                                                      APIs
                                                                                                                      • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                                                        • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                                        • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                                        • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                                        • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 4151426672-2980165447
                                                                                                                      • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                                                      • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                                                      • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                                                      • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 020883C6
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02088477
                                                                                                                        • Part of subcall function 020869C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 020869E5
                                                                                                                        • Part of subcall function 020869C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02086A26
                                                                                                                        • Part of subcall function 020869C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02086A3A
                                                                                                                        • Part of subcall function 0208EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02081DCF,?), ref: 0208EEA8
                                                                                                                        • Part of subcall function 0208EE95: HeapFree.KERNEL32(00000000), ref: 0208EEAF
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 359188348-2980165447
                                                                                                                      • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                                      • Instruction ID: 2724858bd519a30ad1be6d2ae0aba5c1749d747f9f184cd50d72b4e1b9a4c2ab
                                                                                                                      • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                                      • Instruction Fuzzy Hash: 864171B290020DBFEB11FBA09D80EFF77ADEB04304F5484A6E584D6110FBB05A94AB64
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0208E859,00000000,00020119,0208E859,PromptOnSecureDesktop), ref: 0208E64D
                                                                                                                      • RegCloseKey.ADVAPI32(0208E859,?,?,?,?,000000C8,000000E4), ref: 0208E787
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseOpen
                                                                                                                      • String ID: PromptOnSecureDesktop
                                                                                                                      • API String ID: 47109696-2980165447
                                                                                                                      • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                                      • Instruction ID: c257cf7e6b94d81f34863d2b954edc28be7cd67dc6b021f1ba82f4bda334e80e
                                                                                                                      • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                                      • Instruction Fuzzy Hash: 434109B2D0021DBFDF11EFA4DC84DEEBBB9FB08344F144466FA40A6150E3719A559B60
                                                                                                                      APIs
                                                                                                                      • GetLocalTime.KERNEL32(?), ref: 0208AFFF
                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0208B00D
                                                                                                                        • Part of subcall function 0208AF6F: gethostname.WS2_32(?,00000080), ref: 0208AF83
                                                                                                                        • Part of subcall function 0208AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0208AFE6
                                                                                                                        • Part of subcall function 0208331C: gethostname.WS2_32(?,00000080), ref: 0208333F
                                                                                                                        • Part of subcall function 0208331C: gethostbyname.WS2_32(?), ref: 02083349
                                                                                                                        • Part of subcall function 0208AA0A: inet_ntoa.WS2_32(00000000), ref: 0208AA10
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                      • String ID: %OUTLOOK_BND_
                                                                                                                      • API String ID: 1981676241-3684217054
                                                                                                                      • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                                      • Instruction ID: 325e11499c122cf16a0d6d67822d6b8668a70156c8ba697a81960d0e9256c09b
                                                                                                                      • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                                      • Instruction Fuzzy Hash: 3F41FCB290034CABDB25AFA0DC45EEF3BADFB08304F14442AF92592151EA75E6549F54
                                                                                                                      APIs
                                                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02089536
                                                                                                                      • Sleep.KERNEL32(000001F4), ref: 0208955D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ExecuteShellSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4194306370-3916222277
                                                                                                                      • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                                      • Instruction ID: 697e8c19050f8e433c75cff2aa1ee8a9f716dd48bf4e9bffb99940f7f3e6591a
                                                                                                                      • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                                      • Instruction Fuzzy Hash: 2E41E4B190438D6FEBB7BB64D888BBB3BE49B02314F1401A5D4C2973A2D7B44981E711
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 0208B9D9
                                                                                                                      • InterlockedIncrement.KERNEL32(00413648), ref: 0208BA3A
                                                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 0208BA94
                                                                                                                      • GetTickCount.KERNEL32 ref: 0208BB79
                                                                                                                      • GetTickCount.KERNEL32 ref: 0208BB99
                                                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 0208BE15
                                                                                                                      • closesocket.WS2_32(00000000), ref: 0208BEB4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                                      • String ID: %FROM_EMAIL
                                                                                                                      • API String ID: 1869671989-2903620461
                                                                                                                      • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                                      • Instruction ID: 0333b5a0ab3b6e0270b1a9a042e86047f2cee39b6ad9d7a08e7be6a59af01e56
                                                                                                                      • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                                      • Instruction Fuzzy Hash: 23318B72500348EFDF65EFA4DC84AEEB7A9EB48304F204056FA64C2160EB709685DF14
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 536389180-1857712256
                                                                                                                      • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                                      • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                                                      • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                                      • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTickwsprintf
                                                                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                                      • API String ID: 2424974917-1012700906
                                                                                                                      • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                      • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                                      • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                      • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                                        • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                                      • String ID: %FROM_EMAIL
                                                                                                                      • API String ID: 3716169038-2903620461
                                                                                                                      • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                      • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                                      • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                      • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                                      APIs
                                                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 020870BC
                                                                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 020870F4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Name$AccountLookupUser
                                                                                                                      • String ID: |
                                                                                                                      • API String ID: 2370142434-2343686810
                                                                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                      • Instruction ID: aeaecfcc7673227d1802c771807a239085fca7687d45ce6d91001a718f86b38a
                                                                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                      • Instruction Fuzzy Hash: DB112E76900218EBDF51DBD8DC84AEFB7BCAB04305F2441A6E551E6068D7709784DBA0
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 2777991786-1857712256
                                                                                                                      • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                      • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                                      • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                      • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                                      APIs
                                                                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                                      • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                                                                      • String ID: %FROM_EMAIL
                                                                                                                      • API String ID: 224340156-2903620461
                                                                                                                      • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                      • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                                      • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                      • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                                      APIs
                                                                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                                      • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 2112563974-1857712256
                                                                                                                      • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                      • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                                      • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                      • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: gethostbynameinet_addr
                                                                                                                      • String ID: time_cfg
                                                                                                                      • API String ID: 1594361348-2401304539
                                                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                      • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                      • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000), ref: 0040EAF2
                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: ntdll.dll
                                                                                                                      • API String ID: 2574300362-2227199552
                                                                                                                      • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                      • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                                      • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                      • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 02082F88: GetModuleHandleA.KERNEL32(?), ref: 02082FA1
                                                                                                                        • Part of subcall function 02082F88: LoadLibraryA.KERNEL32(?), ref: 02082FB1
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 020831DA
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 020831E1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4595679659.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2080000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1017166417-0
                                                                                                                      • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                                      • Instruction ID: 9af67915a81f682cb6152b7de1d3b9b56323341f0991eaeefa239b0316db8274
                                                                                                                      • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                                      • Instruction Fuzzy Hash: 48519A3190034AAFCF02AF64D888AFAB7B5FF55705F1441A9EC96C7210E7329A19DB90
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                        • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.4594901128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.4594901128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_uMlLpvdLRU.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1017166417-0
                                                                                                                      • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                                      • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                                      • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                                      • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:2.6%
                                                                                                                      Dynamic/Decrypted Code Coverage:97%
                                                                                                                      Signature Coverage:0%
                                                                                                                      Total number of Nodes:1622
                                                                                                                      Total number of Limit Nodes:16
                                                                                                                      execution_graph 17722 6e3c7e 17723 6e3c8d 17722->17723 17726 6e441e 17723->17726 17727 6e4439 17726->17727 17728 6e4442 CreateToolhelp32Snapshot 17727->17728 17729 6e445e Module32First 17727->17729 17728->17727 17728->17729 17730 6e446d 17729->17730 17732 6e3c96 17729->17732 17733 6e40dd 17730->17733 17734 6e4108 17733->17734 17735 6e4119 VirtualAlloc 17734->17735 17736 6e4151 17734->17736 17735->17736 17736->17736 17737 409961 RegisterServiceCtrlHandlerA 17738 40997d 17737->17738 17739 4099cb 17737->17739 17747 409892 17738->17747 17741 40999a 17742 4099ba 17741->17742 17743 409892 SetServiceStatus 17741->17743 17742->17739 17745 409892 SetServiceStatus 17742->17745 17744 4099aa 17743->17744 17744->17742 17750 4098f2 17744->17750 17745->17739 17748 4098c2 SetServiceStatus 17747->17748 17748->17741 17751 4098f6 17750->17751 17753 409904 Sleep 17751->17753 17755 409917 17751->17755 17758 404280 CreateEventA 17751->17758 17753->17751 17754 409915 17753->17754 17754->17755 17757 409947 17755->17757 17785 40977c 17755->17785 17757->17742 17759 4042a5 17758->17759 17760 40429d 17758->17760 17799 403ecd 17759->17799 17760->17751 17762 4042b0 17803 404000 17762->17803 17765 4043c1 CloseHandle 17765->17760 17766 4042ce 17809 403f18 WriteFile 17766->17809 17771 4043ba CloseHandle 17771->17765 17772 404318 17773 403f18 4 API calls 17772->17773 17774 404331 17773->17774 17775 403f18 4 API calls 17774->17775 17776 40434a 17775->17776 17817 40ebcc GetProcessHeap HeapAlloc 17776->17817 17779 403f18 4 API calls 17780 404389 17779->17780 17820 40ec2e 17780->17820 17783 403f8c 4 API calls 17784 40439f CloseHandle CloseHandle 17783->17784 17784->17760 17849 40ee2a 17785->17849 17788 4097bb 17788->17757 17789 4097c2 17790 4097d4 Wow64GetThreadContext 17789->17790 17791 409801 17790->17791 17792 4097f5 17790->17792 17851 40637c 17791->17851 17793 4097f6 TerminateProcess 17792->17793 17793->17788 17795 409816 17795->17793 17796 40981e WriteProcessMemory 17795->17796 17796->17792 17797 40983b Wow64SetThreadContext 17796->17797 17797->17792 17798 409858 ResumeThread 17797->17798 17798->17788 17800 403edc 17799->17800 17802 403ee2 17799->17802 17825 406dc2 17800->17825 17802->17762 17804 40400b CreateFileA 17803->17804 17805 40402c GetLastError 17804->17805 17806 404052 17804->17806 17805->17806 17807 404037 17805->17807 17806->17760 17806->17765 17806->17766 17807->17806 17808 404041 Sleep 17807->17808 17808->17804 17808->17806 17810 403f4e GetLastError 17809->17810 17812 403f7c 17809->17812 17811 403f5b WaitForSingleObject GetOverlappedResult 17810->17811 17810->17812 17811->17812 17813 403f8c ReadFile 17812->17813 17814 403ff0 17813->17814 17815 403fc2 GetLastError 17813->17815 17814->17771 17814->17772 17815->17814 17816 403fcf WaitForSingleObject GetOverlappedResult 17815->17816 17816->17814 17843 40eb74 17817->17843 17821 40ec37 17820->17821 17822 40438f 17820->17822 17846 40eba0 17821->17846 17822->17783 17826 406dd7 17825->17826 17830 406e24 17825->17830 17831 406cc9 17826->17831 17828 406ddc 17828->17828 17829 406e02 GetVolumeInformationA 17828->17829 17828->17830 17829->17830 17830->17802 17832 406cdc GetModuleHandleA GetProcAddress 17831->17832 17833 406dbe 17831->17833 17834 406d12 GetSystemDirectoryA 17832->17834 17835 406cfd 17832->17835 17833->17828 17836 406d27 GetWindowsDirectoryA 17834->17836 17837 406d1e 17834->17837 17835->17834 17839 406d8b 17835->17839 17838 406d42 17836->17838 17837->17836 17837->17839 17841 40ef1e lstrlenA 17838->17841 17839->17833 17842 40ef32 17841->17842 17842->17839 17844 40eb7b GetProcessHeap HeapSize 17843->17844 17845 404350 17843->17845 17844->17845 17845->17779 17847 40eba7 GetProcessHeap HeapSize 17846->17847 17848 40ebbf GetProcessHeap HeapFree 17846->17848 17847->17848 17848->17822 17850 409794 CreateProcessA 17849->17850 17850->17788 17850->17789 17852 406386 17851->17852 17853 40638a GetModuleHandleA VirtualAlloc 17851->17853 17852->17795 17854 4063f5 17853->17854 17855 4063b6 17853->17855 17854->17795 17856 4063be VirtualAllocEx 17855->17856 17856->17854 17857 4063d6 17856->17857 17858 4063df WriteProcessMemory 17857->17858 17858->17854 17918 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 18035 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 17918->18035 17920 409a95 17921 409aa3 GetModuleHandleA GetModuleFileNameA 17920->17921 17926 40a3c7 17920->17926 17933 409ac4 17921->17933 17922 40a41c CreateThread WSAStartup 18146 40e52e 17922->18146 18974 40405e CreateEventA 17922->18974 17923 40a406 DeleteFileA 17923->17926 17927 40a40d 17923->17927 17925 409afd GetCommandLineA 17934 409b22 17925->17934 17926->17922 17926->17923 17926->17927 17929 40a3ed GetLastError 17926->17929 17927->17922 17928 40a445 18165 40eaaf 17928->18165 17929->17927 17931 40a3f8 Sleep 17929->17931 17931->17923 17932 40a44d 18169 401d96 17932->18169 17933->17925 17939 409c0c 17934->17939 17945 409b47 17934->17945 17936 40a457 18217 4080c9 17936->18217 18036 4096aa 17939->18036 17949 409b96 lstrlenA 17945->17949 17951 409b58 17945->17951 17946 40a1d2 17952 40a1e3 GetCommandLineA 17946->17952 17947 409c39 17950 40a167 GetModuleHandleA GetModuleFileNameA 17947->17950 17956 409c4b 17947->17956 17949->17951 17954 409c05 ExitProcess 17950->17954 17955 40a189 17950->17955 17951->17954 17959 409bd2 17951->17959 17980 40a205 17952->17980 17955->17954 17964 40a1b2 GetDriveTypeA 17955->17964 17956->17950 17958 404280 30 API calls 17956->17958 17961 409c5b 17958->17961 18048 40675c 17959->18048 17961->17950 17967 40675c 21 API calls 17961->17967 17964->17954 17966 40a1c5 17964->17966 18138 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 17966->18138 17969 409c79 17967->17969 17969->17950 17974 409ca0 GetTempPathA 17969->17974 17975 409e3e 17969->17975 17971 409bff 17971->17954 17972 40a491 17973 40a49f GetTickCount 17972->17973 17976 40a4be Sleep 17972->17976 17979 40a4b7 GetTickCount 17972->17979 18263 40c913 17972->18263 17973->17972 17973->17976 17974->17975 17978 409cba 17974->17978 17986 409e6b GetEnvironmentVariableA 17975->17986 17987 409e04 17975->17987 17976->17972 18086 4099d2 lstrcpyA 17978->18086 17979->17976 17983 40a285 lstrlenA 17980->17983 17996 40a239 17980->17996 17982 40ec2e codecvt 4 API calls 17985 40a15d 17982->17985 17983->17996 17985->17950 17985->17954 17986->17987 17988 409e7d 17986->17988 17987->17982 17989 4099d2 16 API calls 17988->17989 17990 409e9d 17989->17990 17990->17987 17995 409eb0 lstrcpyA lstrlenA 17990->17995 17991 406dc2 6 API calls 17992 409d5f 17991->17992 17998 406cc9 5 API calls 17992->17998 17994 40a3c2 17999 4098f2 41 API calls 17994->17999 17997 409ef4 17995->17997 18044 406ec3 17996->18044 18000 406dc2 6 API calls 17997->18000 18003 409f03 17997->18003 18002 409d72 lstrcpyA lstrcatA lstrcatA 17998->18002 17999->17926 18000->18003 18001 40a39d StartServiceCtrlDispatcherA 18001->17994 18007 409cf6 18002->18007 18004 409f32 RegOpenKeyExA 18003->18004 18006 409f48 RegSetValueExA RegCloseKey 18004->18006 18010 409f70 18004->18010 18005 40a35f 18005->17994 18005->18001 18006->18010 18093 409326 18007->18093 18015 409f9d GetModuleHandleA GetModuleFileNameA 18010->18015 18011 409e0c DeleteFileA 18011->17975 18012 409dde GetFileAttributesExA 18012->18011 18013 409df7 18012->18013 18013->17987 18130 4096ff 18013->18130 18017 409fc2 18015->18017 18018 40a093 18015->18018 18017->18018 18024 409ff1 GetDriveTypeA 18017->18024 18019 40a103 CreateProcessA 18018->18019 18020 40a0a4 wsprintfA 18018->18020 18021 40a13a 18019->18021 18022 40a12a DeleteFileA 18019->18022 18136 402544 18020->18136 18021->17987 18028 4096ff 3 API calls 18021->18028 18022->18021 18024->18018 18026 40a00d 18024->18026 18030 40a02d lstrcatA 18026->18030 18027 40ee2a 18029 40a0ec lstrcatA 18027->18029 18028->17987 18029->18019 18031 40a046 18030->18031 18032 40a052 lstrcatA 18031->18032 18033 40a064 lstrcatA 18031->18033 18032->18033 18033->18018 18034 40a081 lstrcatA 18033->18034 18034->18018 18035->17920 18037 4096b9 18036->18037 18366 4073ff 18037->18366 18039 4096e2 18040 4096e9 18039->18040 18041 4096fa 18039->18041 18386 40704c 18040->18386 18041->17946 18041->17947 18043 4096f7 18043->18041 18045 406ed5 18044->18045 18046 406ecc 18044->18046 18045->18005 18411 406e36 GetUserNameW 18046->18411 18049 406784 CreateFileA 18048->18049 18050 40677a SetFileAttributesA 18048->18050 18051 4067a4 CreateFileA 18049->18051 18052 4067b5 18049->18052 18050->18049 18051->18052 18053 4067c5 18052->18053 18054 4067ba SetFileAttributesA 18052->18054 18055 406977 18053->18055 18056 4067cf GetFileSize 18053->18056 18054->18053 18055->17954 18073 406a60 CreateFileA 18055->18073 18057 4067e5 18056->18057 18071 406922 18056->18071 18059 4067ed ReadFile 18057->18059 18057->18071 18058 40696e CloseHandle 18058->18055 18060 406811 SetFilePointer 18059->18060 18059->18071 18061 40682a ReadFile 18060->18061 18060->18071 18062 406848 SetFilePointer 18061->18062 18061->18071 18065 406867 18062->18065 18062->18071 18063 4068d0 18063->18058 18066 40ebcc 4 API calls 18063->18066 18064 406878 ReadFile 18064->18063 18064->18065 18065->18063 18065->18064 18067 4068f8 18066->18067 18068 406900 SetFilePointer 18067->18068 18067->18071 18069 40695a 18068->18069 18070 40690d ReadFile 18068->18070 18072 40ec2e codecvt 4 API calls 18069->18072 18070->18069 18070->18071 18071->18058 18072->18071 18074 406b8c GetLastError 18073->18074 18075 406a8f GetDiskFreeSpaceA 18073->18075 18076 406b86 18074->18076 18077 406ac5 18075->18077 18085 406ad7 18075->18085 18076->17971 18414 40eb0e 18077->18414 18081 406b56 CloseHandle 18081->18076 18084 406b65 GetLastError CloseHandle 18081->18084 18082 406b36 GetLastError CloseHandle 18083 406b7f DeleteFileA 18082->18083 18083->18076 18084->18083 18418 406987 18085->18418 18087 4099eb 18086->18087 18088 409a2f lstrcatA 18087->18088 18089 40ee2a 18088->18089 18090 409a4b lstrcatA 18089->18090 18091 406a60 13 API calls 18090->18091 18092 409a60 18091->18092 18092->17975 18092->17991 18092->18007 18428 401910 18093->18428 18096 40934a GetModuleHandleA GetModuleFileNameA 18098 40937f 18096->18098 18099 4093a4 18098->18099 18100 4093d9 18098->18100 18101 4093c3 wsprintfA 18099->18101 18102 409401 wsprintfA 18100->18102 18104 409415 18101->18104 18102->18104 18103 4094a0 18430 406edd 18103->18430 18104->18103 18107 406cc9 5 API calls 18104->18107 18106 4094ac 18108 40962f 18106->18108 18109 4094e8 RegOpenKeyExA 18106->18109 18113 409439 18107->18113 18114 409646 18108->18114 18451 401820 18108->18451 18111 409502 18109->18111 18112 4094fb 18109->18112 18116 40951f RegQueryValueExA 18111->18116 18112->18108 18118 40958a 18112->18118 18117 40ef1e lstrlenA 18113->18117 18123 4095d6 18114->18123 18457 4091eb 18114->18457 18120 409530 18116->18120 18121 409539 18116->18121 18122 409462 18117->18122 18118->18114 18119 409593 18118->18119 18119->18123 18438 40f0e4 18119->18438 18124 40956e RegCloseKey 18120->18124 18125 409556 RegQueryValueExA 18121->18125 18126 40947e wsprintfA 18122->18126 18123->18011 18123->18012 18124->18112 18125->18120 18125->18124 18126->18103 18128 4095bb 18128->18123 18445 4018e0 18128->18445 18131 402544 18130->18131 18132 40972d RegOpenKeyExA 18131->18132 18133 409740 18132->18133 18134 409765 18132->18134 18135 40974f RegDeleteValueA RegCloseKey 18133->18135 18134->17987 18135->18134 18137 402554 lstrcatA 18136->18137 18137->18027 18139 402544 18138->18139 18140 40919e wsprintfA 18139->18140 18141 4091bb 18140->18141 18496 409064 GetTempPathA 18141->18496 18144 4091d5 ShellExecuteA 18145 4091e7 18144->18145 18145->17971 18503 40dd05 GetTickCount 18146->18503 18148 40e538 18510 40dbcf 18148->18510 18150 40e544 18151 40e555 GetFileSize 18150->18151 18156 40e5b8 18150->18156 18152 40e5b1 CloseHandle 18151->18152 18153 40e566 18151->18153 18152->18156 18520 40db2e 18153->18520 18529 40e3ca RegOpenKeyExA 18156->18529 18157 40e576 ReadFile 18157->18152 18159 40e58d 18157->18159 18524 40e332 18159->18524 18161 40e5f2 18163 40e3ca 19 API calls 18161->18163 18164 40e629 18161->18164 18163->18164 18164->17928 18166 40eabe 18165->18166 18168 40eaba 18165->18168 18167 40dd05 6 API calls 18166->18167 18166->18168 18167->18168 18168->17932 18170 40ee2a 18169->18170 18171 401db4 GetVersionExA 18170->18171 18172 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 18171->18172 18174 401e24 18172->18174 18175 401e16 GetCurrentProcess 18172->18175 18582 40e819 18174->18582 18175->18174 18177 401e3d 18178 40e819 11 API calls 18177->18178 18179 401e4e 18178->18179 18180 401e77 18179->18180 18589 40df70 18179->18589 18598 40ea84 18180->18598 18183 401e6c 18185 40df70 12 API calls 18183->18185 18185->18180 18186 40e819 11 API calls 18187 401e93 18186->18187 18602 40199c inet_addr LoadLibraryA 18187->18602 18190 40e819 11 API calls 18191 401eb9 18190->18191 18192 401ed8 18191->18192 18193 40f04e 4 API calls 18191->18193 18194 40e819 11 API calls 18192->18194 18195 401ec9 18193->18195 18196 401eee 18194->18196 18197 40ea84 30 API calls 18195->18197 18204 401f0a 18196->18204 18615 401b71 18196->18615 18197->18192 18199 40e819 11 API calls 18203 401f23 18199->18203 18200 401efd 18201 40ea84 30 API calls 18200->18201 18201->18204 18202 401f3f 18206 40e819 11 API calls 18202->18206 18203->18202 18619 401bdf 18203->18619 18204->18199 18208 401f5e 18206->18208 18210 401f77 18208->18210 18211 40ea84 30 API calls 18208->18211 18209 40ea84 30 API calls 18209->18202 18626 4030b5 18210->18626 18211->18210 18214 406ec3 2 API calls 18216 401f8e GetTickCount 18214->18216 18216->17936 18218 406ec3 2 API calls 18217->18218 18219 4080eb 18218->18219 18220 4080f9 18219->18220 18221 4080ef 18219->18221 18223 40704c 16 API calls 18220->18223 18674 407ee6 18221->18674 18225 408110 18223->18225 18224 408269 CreateThread 18242 405e6c 18224->18242 19004 40877e 18224->19004 18227 408156 RegOpenKeyExA 18225->18227 18228 4080f4 18225->18228 18226 40675c 21 API calls 18232 408244 18226->18232 18227->18228 18229 40816d RegQueryValueExA 18227->18229 18228->18224 18228->18226 18230 4081f7 18229->18230 18231 40818d 18229->18231 18233 40820d RegCloseKey 18230->18233 18235 40ec2e codecvt 4 API calls 18230->18235 18231->18230 18236 40ebcc 4 API calls 18231->18236 18232->18224 18234 40ec2e codecvt 4 API calls 18232->18234 18233->18228 18234->18224 18241 4081dd 18235->18241 18237 4081a0 18236->18237 18237->18233 18238 4081aa RegQueryValueExA 18237->18238 18238->18230 18239 4081c4 18238->18239 18240 40ebcc 4 API calls 18239->18240 18240->18241 18241->18233 18742 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 18242->18742 18244 405e71 18743 40e654 18244->18743 18246 405ec1 18247 403132 18246->18247 18248 40df70 12 API calls 18247->18248 18249 40313b 18248->18249 18250 40c125 18249->18250 18754 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 18250->18754 18252 40c12d 18253 40e654 13 API calls 18252->18253 18254 40c2bd 18253->18254 18255 40e654 13 API calls 18254->18255 18256 40c2c9 18255->18256 18257 40e654 13 API calls 18256->18257 18258 40a47a 18257->18258 18259 408db1 18258->18259 18260 408dbc 18259->18260 18261 40e654 13 API calls 18260->18261 18262 408dec Sleep 18261->18262 18262->17972 18264 40c92f 18263->18264 18265 40c93c 18264->18265 18755 40c517 18264->18755 18267 40e819 11 API calls 18265->18267 18299 40ca2b 18265->18299 18268 40c96a 18267->18268 18269 40e819 11 API calls 18268->18269 18270 40c97d 18269->18270 18271 40e819 11 API calls 18270->18271 18272 40c990 18271->18272 18273 40c9aa 18272->18273 18274 40ebcc 4 API calls 18272->18274 18273->18299 18772 402684 18273->18772 18274->18273 18279 40ca26 18779 40c8aa 18279->18779 18282 40ca44 18283 40ca4b closesocket 18282->18283 18284 40ca83 18282->18284 18283->18279 18285 40ea84 30 API calls 18284->18285 18286 40caac 18285->18286 18287 40f04e 4 API calls 18286->18287 18288 40cab2 18287->18288 18289 40ea84 30 API calls 18288->18289 18290 40caca 18289->18290 18291 40ea84 30 API calls 18290->18291 18292 40cad9 18291->18292 18787 40c65c 18292->18787 18295 40cb60 closesocket 18295->18299 18297 40dad2 closesocket 18298 40e318 23 API calls 18297->18298 18298->18299 18299->17972 18300 40df4c 20 API calls 18359 40cb70 18300->18359 18305 40e654 13 API calls 18305->18359 18311 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 18311->18359 18312 40d815 wsprintfA 18312->18359 18313 40cc1c GetTempPathA 18313->18359 18314 40ea84 30 API calls 18314->18359 18315 40d569 closesocket Sleep 18834 40e318 18315->18834 18316 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 18316->18359 18317 407ead 6 API calls 18317->18359 18318 40c517 23 API calls 18318->18359 18320 40d582 ExitProcess 18321 40e8a1 30 API calls 18321->18359 18322 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 18322->18359 18323 40cfe3 GetSystemDirectoryA 18323->18359 18324 40675c 21 API calls 18324->18359 18325 40d027 GetSystemDirectoryA 18325->18359 18326 40cfad GetEnvironmentVariableA 18326->18359 18327 40d105 lstrcatA 18327->18359 18328 40ef1e lstrlenA 18328->18359 18329 40cc9f CreateFileA 18331 40ccc6 WriteFile 18329->18331 18329->18359 18330 40d15b CreateFileA 18332 40d182 WriteFile CloseHandle 18330->18332 18330->18359 18333 40cdcc CloseHandle 18331->18333 18334 40cced CloseHandle 18331->18334 18332->18359 18333->18359 18340 40cd2f 18334->18340 18335 40cd16 wsprintfA 18335->18340 18336 40d149 SetFileAttributesA 18336->18330 18337 40d36e GetEnvironmentVariableA 18337->18359 18338 40d1bf SetFileAttributesA 18338->18359 18339 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 18339->18359 18340->18335 18816 407fcf 18340->18816 18341 40d22d GetEnvironmentVariableA 18341->18359 18343 40d3af lstrcatA 18346 40d3f2 CreateFileA 18343->18346 18343->18359 18345 407fcf 64 API calls 18345->18359 18347 40d415 WriteFile CloseHandle 18346->18347 18346->18359 18347->18359 18348 40cd81 WaitForSingleObject CloseHandle CloseHandle 18350 40f04e 4 API calls 18348->18350 18349 40cda5 18351 407ee6 64 API calls 18349->18351 18350->18349 18353 40cdbd DeleteFileA 18351->18353 18352 40d26e lstrcatA 18356 40d2b1 CreateFileA 18352->18356 18352->18359 18353->18359 18354 40d4b1 CreateProcessA 18357 40d4e8 CloseHandle CloseHandle 18354->18357 18354->18359 18355 40d3e0 SetFileAttributesA 18355->18346 18356->18359 18360 40d2d8 WriteFile CloseHandle 18356->18360 18357->18359 18358 40d452 SetFileAttributesA 18358->18359 18359->18297 18359->18300 18359->18305 18359->18311 18359->18312 18359->18313 18359->18314 18359->18315 18359->18316 18359->18317 18359->18318 18359->18321 18359->18322 18359->18323 18359->18324 18359->18325 18359->18326 18359->18327 18359->18328 18359->18329 18359->18330 18359->18336 18359->18337 18359->18338 18359->18339 18359->18341 18359->18343 18359->18345 18359->18346 18359->18352 18359->18354 18359->18355 18359->18356 18359->18358 18361 407ee6 64 API calls 18359->18361 18362 40d29f SetFileAttributesA 18359->18362 18365 40d31d SetFileAttributesA 18359->18365 18795 40c75d 18359->18795 18807 407e2f 18359->18807 18829 407ead 18359->18829 18839 4031d0 18359->18839 18856 403c09 18359->18856 18866 403a00 18359->18866 18870 40e7b4 18359->18870 18873 40c06c 18359->18873 18879 406f5f GetUserNameA 18359->18879 18890 40e854 18359->18890 18900 407dd6 18359->18900 18360->18359 18361->18359 18362->18356 18365->18359 18367 40741b 18366->18367 18368 406dc2 6 API calls 18367->18368 18369 40743f 18368->18369 18370 407469 RegOpenKeyExA 18369->18370 18371 4077f9 18370->18371 18382 407487 ___ascii_stricmp 18370->18382 18371->18039 18372 407703 RegEnumKeyA 18373 407714 RegCloseKey 18372->18373 18372->18382 18373->18371 18374 40f1a5 lstrlenA 18374->18382 18375 4074d2 RegOpenKeyExA 18375->18382 18376 40772c 18378 407742 RegCloseKey 18376->18378 18379 40774b 18376->18379 18377 407521 RegQueryValueExA 18377->18382 18378->18379 18381 4077ec RegCloseKey 18379->18381 18380 4076e4 RegCloseKey 18380->18382 18381->18371 18382->18372 18382->18374 18382->18375 18382->18376 18382->18377 18382->18380 18384 40777e GetFileAttributesExA 18382->18384 18385 407769 18382->18385 18383 4077e3 RegCloseKey 18383->18381 18384->18385 18385->18383 18387 407073 18386->18387 18388 4070b9 RegOpenKeyExA 18387->18388 18389 4070d0 18388->18389 18403 4071b8 18388->18403 18390 406dc2 6 API calls 18389->18390 18393 4070d5 18390->18393 18391 40719b RegEnumValueA 18392 4071af RegCloseKey 18391->18392 18391->18393 18392->18403 18393->18391 18395 4071d0 18393->18395 18409 40f1a5 lstrlenA 18393->18409 18396 407205 RegCloseKey 18395->18396 18397 407227 18395->18397 18396->18403 18398 4072b8 ___ascii_stricmp 18397->18398 18399 40728e RegCloseKey 18397->18399 18400 4072cd RegCloseKey 18398->18400 18401 4072dd 18398->18401 18399->18403 18400->18403 18402 407311 RegCloseKey 18401->18402 18405 407335 18401->18405 18402->18403 18403->18043 18404 4073d5 RegCloseKey 18406 4073e4 18404->18406 18405->18404 18407 40737e GetFileAttributesExA 18405->18407 18408 407397 18405->18408 18407->18408 18408->18404 18410 40f1c3 18409->18410 18410->18393 18412 406e97 18411->18412 18413 406e5f LookupAccountNameW 18411->18413 18412->18045 18413->18412 18415 40eb17 18414->18415 18416 40eb21 18414->18416 18424 40eae4 18415->18424 18416->18085 18419 4069b9 WriteFile 18418->18419 18421 406a3c 18419->18421 18423 4069ff 18419->18423 18421->18081 18421->18082 18422 406a10 WriteFile 18422->18421 18422->18423 18423->18421 18423->18422 18425 40eb02 GetProcAddress 18424->18425 18426 40eaed LoadLibraryA 18424->18426 18425->18416 18426->18425 18427 40eb01 18426->18427 18427->18416 18429 401924 GetVersionExA 18428->18429 18429->18096 18431 406f55 18430->18431 18432 406eef AllocateAndInitializeSid 18430->18432 18431->18106 18433 406f44 18432->18433 18434 406f1c CheckTokenMembership 18432->18434 18433->18431 18437 406e36 2 API calls 18433->18437 18435 406f3b FreeSid 18434->18435 18436 406f2e 18434->18436 18435->18433 18436->18435 18437->18431 18439 40f0f1 18438->18439 18440 40f0ed 18438->18440 18441 40f119 18439->18441 18442 40f0fa lstrlenA SysAllocStringByteLen 18439->18442 18440->18128 18444 40f11c MultiByteToWideChar 18441->18444 18443 40f117 18442->18443 18442->18444 18443->18128 18444->18443 18446 401820 17 API calls 18445->18446 18447 4018f2 18446->18447 18448 4018f9 18447->18448 18462 401280 18447->18462 18448->18123 18450 401908 18450->18123 18475 401000 18451->18475 18453 401839 18454 401851 GetCurrentProcess 18453->18454 18455 40183d 18453->18455 18456 401864 18454->18456 18455->18114 18456->18114 18458 40920e 18457->18458 18461 409308 18457->18461 18458->18458 18459 4092f1 Sleep 18458->18459 18460 4092bf ShellExecuteA 18458->18460 18458->18461 18459->18458 18460->18458 18460->18461 18461->18123 18465 4012e1 ShellExecuteExW 18462->18465 18464 4016f9 GetLastError 18466 401699 18464->18466 18465->18464 18467 4013a8 18465->18467 18466->18450 18467->18466 18468 401570 lstrlenW 18467->18468 18469 4015be GetStartupInfoW 18467->18469 18470 4015ff CreateProcessWithLogonW 18467->18470 18474 401668 CloseHandle 18467->18474 18468->18467 18469->18467 18471 4016bf GetLastError 18470->18471 18472 40163f WaitForSingleObject 18470->18472 18471->18466 18472->18467 18473 401659 CloseHandle 18472->18473 18473->18467 18474->18467 18476 40100d LoadLibraryA 18475->18476 18489 401023 18475->18489 18477 401021 18476->18477 18476->18489 18477->18453 18478 4010b5 GetProcAddress 18479 4010d1 GetProcAddress 18478->18479 18480 40127b 18478->18480 18479->18480 18481 4010f0 GetProcAddress 18479->18481 18480->18453 18481->18480 18482 401110 GetProcAddress 18481->18482 18482->18480 18483 401130 GetProcAddress 18482->18483 18483->18480 18484 40114f GetProcAddress 18483->18484 18484->18480 18485 40116f GetProcAddress 18484->18485 18485->18480 18486 40118f GetProcAddress 18485->18486 18486->18480 18487 4011ae GetProcAddress 18486->18487 18487->18480 18488 4011ce GetProcAddress 18487->18488 18488->18480 18490 4011ee GetProcAddress 18488->18490 18489->18478 18495 4010ae 18489->18495 18490->18480 18491 401209 GetProcAddress 18490->18491 18491->18480 18492 401225 GetProcAddress 18491->18492 18492->18480 18493 401241 GetProcAddress 18492->18493 18493->18480 18494 40125c GetProcAddress 18493->18494 18494->18480 18495->18453 18497 40908d 18496->18497 18498 4090e2 wsprintfA 18497->18498 18499 40ee2a 18498->18499 18500 4090fd CreateFileA 18499->18500 18501 40911a lstrlenA WriteFile CloseHandle 18500->18501 18502 40913f 18500->18502 18501->18502 18502->18144 18502->18145 18504 40dd41 InterlockedExchange 18503->18504 18505 40dd20 GetCurrentThreadId 18504->18505 18506 40dd4a 18504->18506 18507 40dd53 GetCurrentThreadId 18505->18507 18508 40dd2e GetTickCount 18505->18508 18506->18507 18507->18148 18508->18506 18509 40dd39 Sleep 18508->18509 18509->18504 18511 40dbf0 18510->18511 18543 40db67 GetEnvironmentVariableA 18511->18543 18513 40dc19 18514 40dcda 18513->18514 18515 40db67 3 API calls 18513->18515 18514->18150 18516 40dc5c 18515->18516 18516->18514 18517 40db67 3 API calls 18516->18517 18518 40dc9b 18517->18518 18518->18514 18519 40db67 3 API calls 18518->18519 18519->18514 18521 40db55 18520->18521 18522 40db3a 18520->18522 18521->18152 18521->18157 18547 40ebed 18522->18547 18556 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 18524->18556 18526 40e3be 18526->18152 18527 40e342 18527->18526 18559 40de24 18527->18559 18530 40e528 18529->18530 18531 40e3f4 18529->18531 18530->18161 18532 40e434 RegQueryValueExA 18531->18532 18533 40e458 18532->18533 18534 40e51d RegCloseKey 18532->18534 18535 40e46e RegQueryValueExA 18533->18535 18534->18530 18535->18533 18536 40e488 18535->18536 18536->18534 18537 40db2e 8 API calls 18536->18537 18538 40e499 18537->18538 18538->18534 18539 40e4b9 RegQueryValueExA 18538->18539 18540 40e4e8 18538->18540 18539->18538 18539->18540 18540->18534 18541 40e332 14 API calls 18540->18541 18542 40e513 18541->18542 18542->18534 18544 40db89 lstrcpyA CreateFileA 18543->18544 18545 40dbca 18543->18545 18544->18513 18545->18513 18548 40ec01 18547->18548 18549 40ebf6 18547->18549 18550 40eba0 codecvt 2 API calls 18548->18550 18551 40ebcc 4 API calls 18549->18551 18552 40ec0a GetProcessHeap HeapReAlloc 18550->18552 18553 40ebfe 18551->18553 18554 40eb74 2 API calls 18552->18554 18553->18521 18555 40ec28 18554->18555 18555->18521 18570 40eb41 18556->18570 18560 40de3a 18559->18560 18566 40de4e 18560->18566 18574 40dd84 18560->18574 18563 40de9e 18564 40ebed 8 API calls 18563->18564 18563->18566 18568 40def6 18564->18568 18565 40de76 18578 40ddcf 18565->18578 18566->18527 18568->18566 18569 40ddcf lstrcmpA 18568->18569 18569->18566 18571 40eb4a 18570->18571 18573 40eb54 18570->18573 18572 40eae4 2 API calls 18571->18572 18572->18573 18573->18527 18575 40ddc5 18574->18575 18576 40dd96 18574->18576 18575->18563 18575->18565 18576->18575 18577 40ddad lstrcmpiA 18576->18577 18577->18575 18577->18576 18579 40dddd 18578->18579 18581 40de20 18578->18581 18580 40ddfa lstrcmpA 18579->18580 18579->18581 18580->18579 18581->18566 18583 40dd05 6 API calls 18582->18583 18584 40e821 18583->18584 18585 40dd84 lstrcmpiA 18584->18585 18586 40e82c 18585->18586 18587 40e844 18586->18587 18630 402480 18586->18630 18587->18177 18590 40dd05 6 API calls 18589->18590 18591 40df7c 18590->18591 18592 40dd84 lstrcmpiA 18591->18592 18595 40df89 18592->18595 18593 40dfc4 18593->18183 18594 40ddcf lstrcmpA 18594->18595 18595->18593 18595->18594 18596 40ec2e codecvt 4 API calls 18595->18596 18597 40dd84 lstrcmpiA 18595->18597 18596->18595 18597->18595 18599 40ea98 18598->18599 18639 40e8a1 18599->18639 18601 401e84 18601->18186 18603 4019d5 GetProcAddress GetProcAddress GetProcAddress 18602->18603 18606 4019ce 18602->18606 18604 401ab3 FreeLibrary 18603->18604 18605 401a04 18603->18605 18604->18606 18605->18604 18607 401a14 GetProcessHeap 18605->18607 18606->18190 18607->18606 18609 401a2e HeapAlloc 18607->18609 18609->18606 18610 401a42 18609->18610 18611 401a52 HeapReAlloc 18610->18611 18613 401a62 18610->18613 18611->18613 18612 401aa1 FreeLibrary 18612->18606 18613->18612 18614 401a96 HeapFree 18613->18614 18614->18612 18667 401ac3 LoadLibraryA 18615->18667 18618 401bcf 18618->18200 18620 401ac3 12 API calls 18619->18620 18621 401c09 18620->18621 18622 401c0d GetComputerNameA 18621->18622 18625 401c41 18621->18625 18623 401c45 GetVolumeInformationA 18622->18623 18624 401c1f 18622->18624 18623->18625 18624->18623 18624->18625 18625->18209 18627 40ee2a 18626->18627 18628 4030d0 gethostname gethostbyname 18627->18628 18629 401f82 18628->18629 18629->18214 18629->18216 18633 402419 lstrlenA 18630->18633 18632 402491 18632->18587 18634 40243d lstrlenA 18633->18634 18635 402474 18633->18635 18636 402464 lstrlenA 18634->18636 18637 40244e lstrcmpiA 18634->18637 18635->18632 18636->18634 18636->18635 18637->18636 18638 40245c 18637->18638 18638->18635 18638->18636 18640 40dd05 6 API calls 18639->18640 18641 40e8b4 18640->18641 18642 40dd84 lstrcmpiA 18641->18642 18643 40e8c0 18642->18643 18644 40e90a 18643->18644 18645 40e8c8 lstrcpynA 18643->18645 18647 402419 4 API calls 18644->18647 18654 40ea27 18644->18654 18646 40e8f5 18645->18646 18660 40df4c 18646->18660 18648 40e926 lstrlenA lstrlenA 18647->18648 18650 40e96a 18648->18650 18651 40e94c lstrlenA 18648->18651 18650->18654 18655 40ebcc 4 API calls 18650->18655 18651->18650 18652 40e901 18653 40dd84 lstrcmpiA 18652->18653 18653->18644 18654->18601 18656 40e98f 18655->18656 18656->18654 18657 40df4c 20 API calls 18656->18657 18658 40ea1e 18657->18658 18659 40ec2e codecvt 4 API calls 18658->18659 18659->18654 18661 40dd05 6 API calls 18660->18661 18662 40df51 18661->18662 18663 40f04e 4 API calls 18662->18663 18664 40df58 18663->18664 18665 40de24 10 API calls 18664->18665 18666 40df63 18665->18666 18666->18652 18668 401ae2 GetProcAddress 18667->18668 18673 401b68 GetComputerNameA GetVolumeInformationA 18667->18673 18669 401af5 18668->18669 18668->18673 18670 40ebed 8 API calls 18669->18670 18671 401b29 18669->18671 18670->18669 18671->18671 18672 40ec2e codecvt 4 API calls 18671->18672 18671->18673 18672->18673 18673->18618 18675 406ec3 2 API calls 18674->18675 18676 407ef4 18675->18676 18677 4073ff 17 API calls 18676->18677 18686 407fc9 18676->18686 18678 407f16 18677->18678 18678->18686 18687 407809 GetUserNameA 18678->18687 18680 407f63 18681 40ef1e lstrlenA 18680->18681 18680->18686 18682 407fa6 18681->18682 18683 40ef1e lstrlenA 18682->18683 18684 407fb7 18683->18684 18711 407a95 RegOpenKeyExA 18684->18711 18686->18228 18688 40783d LookupAccountNameA 18687->18688 18689 407a8d 18687->18689 18688->18689 18690 407874 GetLengthSid GetFileSecurityA 18688->18690 18689->18680 18690->18689 18691 4078a8 GetSecurityDescriptorOwner 18690->18691 18692 4078c5 EqualSid 18691->18692 18693 40791d GetSecurityDescriptorDacl 18691->18693 18692->18693 18694 4078dc LocalAlloc 18692->18694 18693->18689 18700 407941 18693->18700 18694->18693 18695 4078ef InitializeSecurityDescriptor 18694->18695 18696 407916 LocalFree 18695->18696 18697 4078fb SetSecurityDescriptorOwner 18695->18697 18696->18693 18697->18696 18699 40790b SetFileSecurityA 18697->18699 18698 40795b GetAce 18698->18700 18699->18696 18700->18689 18700->18698 18701 407980 EqualSid 18700->18701 18702 407a3d 18700->18702 18703 4079be EqualSid 18700->18703 18704 40799d DeleteAce 18700->18704 18701->18700 18702->18689 18705 407a43 LocalAlloc 18702->18705 18703->18700 18704->18700 18705->18689 18706 407a56 InitializeSecurityDescriptor 18705->18706 18707 407a62 SetSecurityDescriptorDacl 18706->18707 18708 407a86 LocalFree 18706->18708 18707->18708 18709 407a73 SetFileSecurityA 18707->18709 18708->18689 18709->18708 18710 407a83 18709->18710 18710->18708 18712 407ac4 18711->18712 18713 407acb GetUserNameA 18711->18713 18712->18686 18714 407da7 RegCloseKey 18713->18714 18715 407aed LookupAccountNameA 18713->18715 18714->18712 18715->18714 18716 407b24 RegGetKeySecurity 18715->18716 18716->18714 18717 407b49 GetSecurityDescriptorOwner 18716->18717 18718 407b63 EqualSid 18717->18718 18719 407bb8 GetSecurityDescriptorDacl 18717->18719 18718->18719 18721 407b74 LocalAlloc 18718->18721 18720 407da6 18719->18720 18731 407bdc 18719->18731 18720->18714 18721->18719 18722 407b8a InitializeSecurityDescriptor 18721->18722 18724 407bb1 LocalFree 18722->18724 18725 407b96 SetSecurityDescriptorOwner 18722->18725 18723 407bf8 GetAce 18723->18731 18724->18719 18725->18724 18726 407ba6 RegSetKeySecurity 18725->18726 18726->18724 18727 407c1d EqualSid 18727->18731 18728 407cd9 18728->18720 18732 407d5a LocalAlloc 18728->18732 18734 407cf2 RegOpenKeyExA 18728->18734 18729 407c5f EqualSid 18729->18731 18730 407c3a DeleteAce 18730->18731 18731->18720 18731->18723 18731->18727 18731->18728 18731->18729 18731->18730 18732->18720 18733 407d70 InitializeSecurityDescriptor 18732->18733 18735 407d7c SetSecurityDescriptorDacl 18733->18735 18736 407d9f LocalFree 18733->18736 18734->18732 18739 407d0f 18734->18739 18735->18736 18737 407d8c RegSetKeySecurity 18735->18737 18736->18720 18737->18736 18738 407d9c 18737->18738 18738->18736 18740 407d43 RegSetValueExA 18739->18740 18740->18732 18741 407d54 18740->18741 18741->18732 18742->18244 18744 40dd05 6 API calls 18743->18744 18747 40e65f 18744->18747 18745 40e6a5 18746 40ebcc 4 API calls 18745->18746 18752 40e6f5 18745->18752 18749 40e6b0 18746->18749 18747->18745 18748 40e68c lstrcmpA 18747->18748 18748->18747 18750 40e6b7 18749->18750 18751 40e6e0 lstrcpynA 18749->18751 18749->18752 18750->18246 18751->18752 18752->18750 18753 40e71d lstrcmpA 18752->18753 18753->18752 18754->18252 18756 40c525 18755->18756 18757 40c532 18755->18757 18756->18757 18760 40ec2e codecvt 4 API calls 18756->18760 18758 40c548 18757->18758 18907 40e7ff 18757->18907 18761 40e7ff lstrcmpiA 18758->18761 18769 40c54f 18758->18769 18760->18757 18762 40c615 18761->18762 18763 40ebcc 4 API calls 18762->18763 18762->18769 18763->18769 18764 40c5d1 18767 40ebcc 4 API calls 18764->18767 18766 40e819 11 API calls 18768 40c5b7 18766->18768 18767->18769 18770 40f04e 4 API calls 18768->18770 18769->18265 18771 40c5bf 18770->18771 18771->18758 18771->18764 18773 402692 inet_addr 18772->18773 18774 40268e 18772->18774 18773->18774 18775 40269e gethostbyname 18773->18775 18776 40f428 18774->18776 18775->18774 18910 40f315 18776->18910 18781 40c8d2 18779->18781 18780 40c907 18780->18299 18781->18780 18782 40c517 23 API calls 18781->18782 18782->18780 18783 40f43e 18784 40f473 recv 18783->18784 18785 40f458 18784->18785 18786 40f47c 18784->18786 18785->18784 18785->18786 18786->18282 18788 40c670 18787->18788 18789 40c67d 18787->18789 18790 40ebcc 4 API calls 18788->18790 18791 40ebcc 4 API calls 18789->18791 18792 40c699 18789->18792 18790->18789 18791->18792 18793 40c6f3 18792->18793 18794 40c73c send 18792->18794 18793->18295 18793->18359 18794->18793 18796 40c770 18795->18796 18797 40c77d 18795->18797 18798 40ebcc 4 API calls 18796->18798 18799 40c799 18797->18799 18800 40ebcc 4 API calls 18797->18800 18798->18797 18801 40c7b5 18799->18801 18803 40ebcc 4 API calls 18799->18803 18800->18799 18802 40f43e recv 18801->18802 18804 40c7cb 18802->18804 18803->18801 18805 40f43e recv 18804->18805 18806 40c7d3 18804->18806 18805->18806 18806->18359 18923 407db7 18807->18923 18810 407e70 18812 407e96 18810->18812 18814 40f04e 4 API calls 18810->18814 18811 40f04e 4 API calls 18813 407e4c 18811->18813 18812->18359 18813->18810 18815 40f04e 4 API calls 18813->18815 18814->18812 18815->18810 18817 406ec3 2 API calls 18816->18817 18818 407fdd 18817->18818 18819 4073ff 17 API calls 18818->18819 18828 4080c2 CreateProcessA 18818->18828 18820 407fff 18819->18820 18821 407809 21 API calls 18820->18821 18820->18828 18822 40804d 18821->18822 18823 40ef1e lstrlenA 18822->18823 18822->18828 18824 40809e 18823->18824 18825 40ef1e lstrlenA 18824->18825 18826 4080af 18825->18826 18827 407a95 24 API calls 18826->18827 18827->18828 18828->18348 18828->18349 18830 407db7 2 API calls 18829->18830 18831 407eb8 18830->18831 18832 40f04e 4 API calls 18831->18832 18833 407ece DeleteFileA 18832->18833 18833->18359 18835 40dd05 6 API calls 18834->18835 18836 40e31d 18835->18836 18927 40e177 18836->18927 18838 40e326 18838->18320 18840 4031f3 18839->18840 18850 4031ec 18839->18850 18841 40ebcc 4 API calls 18840->18841 18853 4031fc 18841->18853 18842 40344b 18843 403459 18842->18843 18844 40349d 18842->18844 18846 40f04e 4 API calls 18843->18846 18845 40ec2e codecvt 4 API calls 18844->18845 18845->18850 18847 40345f 18846->18847 18848 4030fa 4 API calls 18847->18848 18848->18850 18849 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 18849->18853 18850->18359 18851 40344d 18852 40ec2e codecvt 4 API calls 18851->18852 18852->18842 18853->18842 18853->18849 18853->18850 18853->18851 18855 403141 lstrcmpiA 18853->18855 18953 4030fa GetTickCount 18853->18953 18855->18853 18857 4030fa 4 API calls 18856->18857 18858 403c1a 18857->18858 18859 403ce6 18858->18859 18958 403a72 18858->18958 18859->18359 18862 403a72 9 API calls 18865 403c5e 18862->18865 18863 403a72 9 API calls 18863->18865 18864 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 18864->18865 18865->18859 18865->18863 18865->18864 18867 403a10 18866->18867 18868 4030fa 4 API calls 18867->18868 18869 403a1a 18868->18869 18869->18359 18871 40dd05 6 API calls 18870->18871 18872 40e7be 18871->18872 18872->18359 18874 40c07e wsprintfA 18873->18874 18878 40c105 18873->18878 18967 40bfce GetTickCount wsprintfA 18874->18967 18876 40c0ef 18968 40bfce GetTickCount wsprintfA 18876->18968 18878->18359 18880 406f88 18879->18880 18881 407047 18879->18881 18880->18880 18882 406f94 LookupAccountNameA 18880->18882 18881->18359 18883 407025 18882->18883 18884 406fcb 18882->18884 18885 406edd 5 API calls 18883->18885 18886 406fdb ConvertSidToStringSidA 18884->18886 18887 40702a wsprintfA 18885->18887 18886->18883 18888 406ff1 18886->18888 18887->18881 18889 407013 LocalFree 18888->18889 18889->18883 18891 40dd05 6 API calls 18890->18891 18892 40e85c 18891->18892 18893 40dd84 lstrcmpiA 18892->18893 18894 40e867 18893->18894 18895 40e885 lstrcpyA 18894->18895 18969 4024a5 18894->18969 18972 40dd69 18895->18972 18901 407db7 2 API calls 18900->18901 18902 407de1 18901->18902 18903 40f04e 4 API calls 18902->18903 18906 407e16 18902->18906 18904 407df2 18903->18904 18905 40f04e 4 API calls 18904->18905 18904->18906 18905->18906 18906->18359 18908 40dd84 lstrcmpiA 18907->18908 18909 40c58e 18908->18909 18909->18758 18909->18764 18909->18766 18911 40ca1d 18910->18911 18912 40f33b 18910->18912 18911->18279 18911->18783 18913 40f347 htons socket 18912->18913 18914 40f382 ioctlsocket 18913->18914 18915 40f374 closesocket 18913->18915 18916 40f3aa connect select 18914->18916 18917 40f39d 18914->18917 18915->18911 18916->18911 18919 40f3f2 __WSAFDIsSet 18916->18919 18918 40f39f closesocket 18917->18918 18918->18911 18919->18918 18920 40f403 ioctlsocket 18919->18920 18922 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 18920->18922 18922->18911 18924 407dc8 InterlockedExchange 18923->18924 18925 407dc0 Sleep 18924->18925 18926 407dd4 18924->18926 18925->18924 18926->18810 18926->18811 18928 40e184 18927->18928 18929 40e2e4 18928->18929 18930 40e223 18928->18930 18943 40dfe2 18928->18943 18929->18838 18930->18929 18932 40dfe2 8 API calls 18930->18932 18936 40e23c 18932->18936 18933 40e1be 18933->18930 18934 40dbcf 3 API calls 18933->18934 18937 40e1d6 18934->18937 18935 40e21a CloseHandle 18935->18930 18936->18929 18947 40e095 RegCreateKeyExA 18936->18947 18937->18930 18937->18935 18938 40e1f9 WriteFile 18937->18938 18938->18935 18939 40e213 18938->18939 18939->18935 18941 40e2a3 18941->18929 18942 40e095 4 API calls 18941->18942 18942->18929 18944 40dffc 18943->18944 18946 40e024 18943->18946 18945 40db2e 8 API calls 18944->18945 18944->18946 18945->18946 18946->18933 18948 40e172 18947->18948 18951 40e0c0 18947->18951 18948->18941 18949 40e13d 18950 40e14e RegDeleteValueA RegCloseKey 18949->18950 18950->18948 18951->18949 18952 40e115 RegSetValueExA 18951->18952 18952->18949 18952->18951 18954 403122 InterlockedExchange 18953->18954 18955 40312e 18954->18955 18956 40310f GetTickCount 18954->18956 18955->18853 18956->18955 18957 40311a Sleep 18956->18957 18957->18954 18959 40f04e 4 API calls 18958->18959 18966 403a83 18959->18966 18960 403ac1 18960->18859 18960->18862 18961 403be6 18964 40ec2e codecvt 4 API calls 18961->18964 18962 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 18963 403bc0 18962->18963 18963->18961 18963->18962 18964->18960 18965 403b66 lstrlenA 18965->18960 18965->18966 18966->18960 18966->18963 18966->18965 18967->18876 18968->18878 18970 402419 4 API calls 18969->18970 18971 4024b6 18970->18971 18971->18895 18973 40dd79 lstrlenA 18972->18973 18973->18359 18975 404084 18974->18975 18976 40407d 18974->18976 18977 403ecd 6 API calls 18975->18977 18978 40408f 18977->18978 18979 404000 3 API calls 18978->18979 18980 404095 18979->18980 18981 404130 18980->18981 18982 4040c0 18980->18982 18983 403ecd 6 API calls 18981->18983 18985 403f18 4 API calls 18982->18985 18984 404159 CreateNamedPipeA 18983->18984 18986 404167 Sleep 18984->18986 18987 404188 ConnectNamedPipe 18984->18987 18989 4040da 18985->18989 18986->18981 18988 404176 CloseHandle 18986->18988 18990 404195 GetLastError 18987->18990 19000 4041ab 18987->19000 18988->18987 18991 403f8c 4 API calls 18989->18991 18992 40425e DisconnectNamedPipe 18990->18992 18990->19000 18993 4040ec 18991->18993 18992->18987 18994 404127 CloseHandle 18993->18994 18995 404101 18993->18995 18994->18981 18996 403f18 4 API calls 18995->18996 18997 40411c ExitProcess 18996->18997 18998 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 18998->19000 18999 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 18999->19000 19000->18987 19000->18992 19000->18998 19000->18999 19001 40426a CloseHandle CloseHandle 19000->19001 19002 40e318 23 API calls 19001->19002 19003 40427b 19002->19003 19003->19003 19005 408791 19004->19005 19007 40879f 19004->19007 19008 40f04e 4 API calls 19005->19008 19006 4087bc 19010 40e819 11 API calls 19006->19010 19007->19006 19009 40f04e 4 API calls 19007->19009 19008->19007 19009->19006 19011 4087d7 19010->19011 19024 408803 19011->19024 19026 4026b2 gethostbyaddr 19011->19026 19014 4087eb 19016 40e8a1 30 API calls 19014->19016 19014->19024 19016->19024 19019 40e819 11 API calls 19019->19024 19020 4088a0 Sleep 19020->19024 19021 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 19021->19024 19023 4026b2 2 API calls 19023->19024 19024->19019 19024->19020 19024->19021 19024->19023 19025 40e8a1 30 API calls 19024->19025 19031 408cee 19024->19031 19039 40c4d6 19024->19039 19042 40c4e2 19024->19042 19045 402011 19024->19045 19080 408328 19024->19080 19025->19024 19027 4026fb 19026->19027 19028 4026cd 19026->19028 19027->19014 19029 4026e1 inet_ntoa 19028->19029 19030 4026de 19028->19030 19029->19030 19030->19014 19032 408d02 GetTickCount 19031->19032 19033 408dae 19031->19033 19032->19033 19036 408d19 19032->19036 19033->19024 19034 408da1 GetTickCount 19034->19033 19036->19034 19038 408d89 19036->19038 19132 40a677 19036->19132 19135 40a688 19036->19135 19038->19034 19143 40c2dc 19039->19143 19043 40c2dc 141 API calls 19042->19043 19044 40c4ec 19043->19044 19044->19024 19046 402020 19045->19046 19047 40202e 19045->19047 19048 40f04e 4 API calls 19046->19048 19049 40204b 19047->19049 19050 40f04e 4 API calls 19047->19050 19048->19047 19051 40206e GetTickCount 19049->19051 19052 40f04e 4 API calls 19049->19052 19050->19049 19053 402090 19051->19053 19054 4020db GetTickCount 19051->19054 19057 402068 19052->19057 19058 4020d4 GetTickCount 19053->19058 19061 402684 2 API calls 19053->19061 19072 4020ce 19053->19072 19470 401978 19053->19470 19055 402132 GetTickCount GetTickCount 19054->19055 19056 4020e7 19054->19056 19059 40f04e 4 API calls 19055->19059 19060 40212b GetTickCount 19056->19060 19068 401978 15 API calls 19056->19068 19075 402125 19056->19075 19475 402ef8 19056->19475 19057->19051 19058->19054 19062 402159 19059->19062 19060->19055 19061->19053 19065 40e854 13 API calls 19062->19065 19077 4021b4 19062->19077 19064 40f04e 4 API calls 19070 4021d1 19064->19070 19067 40218e 19065->19067 19071 40e819 11 API calls 19067->19071 19068->19056 19069 4021f2 19069->19024 19070->19069 19073 40ea84 30 API calls 19070->19073 19074 40219c 19071->19074 19072->19058 19076 4021ec 19073->19076 19074->19077 19483 401c5f 19074->19483 19075->19060 19078 40f04e 4 API calls 19076->19078 19077->19064 19078->19069 19081 407dd6 6 API calls 19080->19081 19082 40833c 19081->19082 19083 406ec3 2 API calls 19082->19083 19110 408340 19082->19110 19084 40834f 19083->19084 19085 40835c 19084->19085 19091 40846b 19084->19091 19086 4073ff 17 API calls 19085->19086 19107 408373 19086->19107 19087 4085df 19088 408626 GetTempPathA 19087->19088 19089 408638 19087->19089 19099 408762 19087->19099 19088->19089 19555 406ba7 IsBadCodePtr 19089->19555 19090 40675c 21 API calls 19090->19087 19092 4084a7 RegOpenKeyExA 19091->19092 19106 408450 19091->19106 19094 4084c0 RegQueryValueExA 19092->19094 19095 40852f 19092->19095 19097 408521 RegCloseKey 19094->19097 19098 4084dd 19094->19098 19100 408564 RegOpenKeyExA 19095->19100 19113 4085a5 19095->19113 19096 4086ad 19096->19099 19101 407e2f 6 API calls 19096->19101 19097->19095 19098->19097 19103 40ebcc 4 API calls 19098->19103 19105 40ec2e codecvt 4 API calls 19099->19105 19099->19110 19102 408573 RegSetValueExA RegCloseKey 19100->19102 19100->19113 19114 4086bb 19101->19114 19102->19113 19109 4084f0 19103->19109 19104 40875b DeleteFileA 19104->19099 19105->19110 19106->19087 19106->19090 19107->19106 19107->19110 19111 4083ea RegOpenKeyExA 19107->19111 19109->19097 19112 4084f8 RegQueryValueExA 19109->19112 19110->19024 19111->19106 19115 4083fd RegQueryValueExA 19111->19115 19112->19097 19116 408515 19112->19116 19113->19106 19117 40ec2e codecvt 4 API calls 19113->19117 19114->19104 19121 4086e0 lstrcpyA lstrlenA 19114->19121 19118 40842d RegSetValueExA 19115->19118 19119 40841e 19115->19119 19120 40ec2e codecvt 4 API calls 19116->19120 19117->19106 19122 408447 RegCloseKey 19118->19122 19119->19118 19119->19122 19123 40851d 19120->19123 19124 407fcf 64 API calls 19121->19124 19122->19106 19123->19097 19125 408719 CreateProcessA 19124->19125 19126 40873d CloseHandle CloseHandle 19125->19126 19127 40874f 19125->19127 19126->19099 19128 407ee6 64 API calls 19127->19128 19129 408754 19128->19129 19130 407ead 6 API calls 19129->19130 19131 40875a 19130->19131 19131->19104 19138 40a63d 19132->19138 19134 40a685 19134->19036 19136 40a63d GetTickCount 19135->19136 19137 40a696 19136->19137 19137->19036 19139 40a645 19138->19139 19140 40a64d 19138->19140 19139->19134 19141 40a66e 19140->19141 19142 40a65e GetTickCount 19140->19142 19141->19134 19142->19141 19159 40a4c7 GetTickCount 19143->19159 19146 40c300 GetTickCount 19148 40c337 19146->19148 19147 40c326 19147->19148 19149 40c32b GetTickCount 19147->19149 19152 40c363 GetTickCount 19148->19152 19153 40c45e 19148->19153 19149->19148 19150 40c4d2 19150->19024 19151 40c4ab InterlockedIncrement CreateThread 19151->19150 19154 40c4cb CloseHandle 19151->19154 19164 40b535 19151->19164 19152->19153 19155 40c373 19152->19155 19153->19150 19153->19151 19154->19150 19156 40c378 GetTickCount 19155->19156 19157 40c37f 19155->19157 19156->19157 19158 40c43b GetTickCount 19157->19158 19158->19153 19160 40a4f7 InterlockedExchange 19159->19160 19161 40a500 19160->19161 19162 40a4e4 GetTickCount 19160->19162 19161->19146 19161->19147 19161->19153 19162->19161 19163 40a4ef Sleep 19162->19163 19163->19160 19165 40b566 19164->19165 19166 40ebcc 4 API calls 19165->19166 19167 40b587 19166->19167 19168 40ebcc 4 API calls 19167->19168 19218 40b590 19168->19218 19169 40bdcd InterlockedDecrement 19170 40bde2 19169->19170 19172 40ec2e codecvt 4 API calls 19170->19172 19173 40bdea 19172->19173 19175 40ec2e codecvt 4 API calls 19173->19175 19174 40bdb7 Sleep 19174->19218 19176 40bdf2 19175->19176 19178 40be05 19176->19178 19179 40ec2e codecvt 4 API calls 19176->19179 19177 40bdcc 19177->19169 19179->19178 19180 40ebed 8 API calls 19180->19218 19183 40b6b6 lstrlenA 19183->19218 19184 4030b5 2 API calls 19184->19218 19185 40e819 11 API calls 19185->19218 19186 40b6ed lstrcpyA 19239 405ce1 19186->19239 19189 40b731 lstrlenA 19189->19218 19190 40b71f lstrcmpA 19190->19189 19190->19218 19191 40b772 GetTickCount 19191->19218 19192 40bd49 InterlockedIncrement 19333 40a628 19192->19333 19195 40b7ce InterlockedIncrement 19249 40acd7 19195->19249 19196 4038f0 6 API calls 19196->19218 19197 40bc5b InterlockedIncrement 19197->19218 19200 40b912 GetTickCount 19200->19218 19201 40b826 InterlockedIncrement 19201->19191 19202 40b932 GetTickCount 19204 40bc6d InterlockedIncrement 19202->19204 19202->19218 19203 40bcdc closesocket 19203->19218 19204->19218 19207 40a7c1 22 API calls 19207->19218 19208 40bba6 InterlockedIncrement 19208->19218 19210 40bc4c closesocket 19210->19218 19213 405ce1 22 API calls 19213->19218 19214 40ba71 wsprintfA 19267 40a7c1 19214->19267 19216 40ab81 lstrcpynA InterlockedIncrement 19216->19218 19217 40ef1e lstrlenA 19217->19218 19218->19169 19218->19174 19218->19177 19218->19180 19218->19183 19218->19184 19218->19185 19218->19186 19218->19189 19218->19190 19218->19191 19218->19192 19218->19195 19218->19196 19218->19197 19218->19200 19218->19201 19218->19202 19218->19203 19218->19207 19218->19208 19218->19210 19218->19213 19218->19214 19218->19216 19218->19217 19219 405ded 12 API calls 19218->19219 19220 40a688 GetTickCount 19218->19220 19221 403e10 19218->19221 19224 403e4f 19218->19224 19227 40384f 19218->19227 19247 40a7a3 inet_ntoa 19218->19247 19254 40abee 19218->19254 19266 401feb GetTickCount 19218->19266 19287 403cfb 19218->19287 19290 40b3c5 19218->19290 19321 40ab81 19218->19321 19219->19218 19220->19218 19222 4030fa 4 API calls 19221->19222 19223 403e1d 19222->19223 19223->19218 19225 4030fa 4 API calls 19224->19225 19226 403e5c 19225->19226 19226->19218 19228 4030fa 4 API calls 19227->19228 19229 403863 19228->19229 19230 4038b9 19229->19230 19231 403889 19229->19231 19238 4038b2 19229->19238 19342 4035f9 19230->19342 19336 403718 19231->19336 19236 4035f9 6 API calls 19236->19238 19237 403718 6 API calls 19237->19238 19238->19218 19240 405cf4 19239->19240 19241 405cec 19239->19241 19243 404bd1 4 API calls 19240->19243 19348 404bd1 GetTickCount 19241->19348 19244 405d02 19243->19244 19353 405472 19244->19353 19248 40a7b9 19247->19248 19248->19218 19250 40f315 14 API calls 19249->19250 19251 40aceb 19250->19251 19252 40acff 19251->19252 19253 40f315 14 API calls 19251->19253 19252->19218 19253->19252 19255 40abfb 19254->19255 19258 40ac65 19255->19258 19416 402f22 19255->19416 19257 40f315 14 API calls 19257->19258 19258->19257 19259 40ac8a 19258->19259 19260 40ac6f 19258->19260 19259->19218 19262 40ab81 2 API calls 19260->19262 19261 40ac23 19261->19258 19263 402684 2 API calls 19261->19263 19264 40ac81 19262->19264 19263->19261 19424 4038f0 19264->19424 19266->19218 19268 40a87d lstrlenA send 19267->19268 19269 40a7df 19267->19269 19270 40a899 19268->19270 19271 40a8bf 19268->19271 19269->19268 19275 40a7fa wsprintfA 19269->19275 19278 40a80a 19269->19278 19279 40a8f2 19269->19279 19272 40a8a5 wsprintfA 19270->19272 19286 40a89e 19270->19286 19273 40a8c4 send 19271->19273 19271->19279 19272->19286 19276 40a8d8 wsprintfA 19273->19276 19273->19279 19274 40a978 recv 19274->19279 19280 40a982 19274->19280 19275->19278 19276->19286 19277 40a9b0 wsprintfA 19277->19286 19278->19268 19279->19274 19279->19277 19279->19280 19281 4030b5 2 API calls 19280->19281 19280->19286 19282 40ab05 19281->19282 19283 40e819 11 API calls 19282->19283 19284 40ab17 19283->19284 19285 40a7a3 inet_ntoa 19284->19285 19285->19286 19286->19218 19288 4030fa 4 API calls 19287->19288 19289 403d0b 19288->19289 19289->19218 19291 405ce1 22 API calls 19290->19291 19292 40b3e6 19291->19292 19293 405ce1 22 API calls 19292->19293 19294 40b404 19293->19294 19295 40b440 19294->19295 19297 40ef7c 3 API calls 19294->19297 19296 40ef7c 3 API calls 19295->19296 19298 40b458 wsprintfA 19296->19298 19299 40b42b 19297->19299 19301 40ef7c 3 API calls 19298->19301 19300 40ef7c 3 API calls 19299->19300 19300->19295 19302 40b480 19301->19302 19303 40ef7c 3 API calls 19302->19303 19304 40b493 19303->19304 19305 40ef7c 3 API calls 19304->19305 19306 40b4bb 19305->19306 19438 40ad89 GetLocalTime SystemTimeToFileTime 19306->19438 19310 40b4cc 19311 40ef7c 3 API calls 19310->19311 19312 40b4dd 19311->19312 19313 40b211 7 API calls 19312->19313 19314 40b4ec 19313->19314 19315 40ef7c 3 API calls 19314->19315 19316 40b4fd 19315->19316 19317 40b211 7 API calls 19316->19317 19318 40b509 19317->19318 19319 40ef7c 3 API calls 19318->19319 19320 40b51a 19319->19320 19320->19218 19322 40abe9 GetTickCount 19321->19322 19324 40ab8c 19321->19324 19326 40a51d 19322->19326 19323 40aba8 lstrcpynA 19323->19324 19324->19322 19324->19323 19325 40abe1 InterlockedIncrement 19324->19325 19325->19324 19327 40a4c7 4 API calls 19326->19327 19328 40a52c 19327->19328 19329 40a542 GetTickCount 19328->19329 19330 40a539 GetTickCount 19328->19330 19329->19330 19332 40a56c 19330->19332 19332->19218 19334 40a4c7 4 API calls 19333->19334 19335 40a633 19334->19335 19335->19218 19337 40f04e 4 API calls 19336->19337 19339 40372a 19337->19339 19338 403847 19338->19237 19338->19238 19339->19338 19340 4037b3 GetCurrentThreadId 19339->19340 19340->19339 19341 4037c8 GetCurrentThreadId 19340->19341 19341->19339 19343 40f04e 4 API calls 19342->19343 19347 40360c 19343->19347 19344 4036f1 19344->19236 19344->19238 19345 4036da GetCurrentThreadId 19345->19344 19346 4036e5 GetCurrentThreadId 19345->19346 19346->19344 19347->19344 19347->19345 19349 404bff InterlockedExchange 19348->19349 19350 404c08 19349->19350 19351 404bec GetTickCount 19349->19351 19350->19240 19351->19350 19352 404bf7 Sleep 19351->19352 19352->19349 19372 404763 19353->19372 19355 405b58 19382 404699 19355->19382 19358 404763 lstrlenA 19359 405b6e 19358->19359 19403 404f9f 19359->19403 19361 405b79 19361->19218 19363 405549 lstrlenA 19369 40548a 19363->19369 19365 40558d lstrcpynA 19365->19369 19366 405a9f lstrcpyA 19366->19369 19367 404ae6 8 API calls 19367->19369 19368 405935 lstrcpynA 19368->19369 19369->19355 19369->19365 19369->19366 19369->19367 19369->19368 19370 405472 13 API calls 19369->19370 19371 4058e7 lstrcpyA 19369->19371 19376 404ae6 19369->19376 19380 40ef7c lstrlenA lstrlenA lstrlenA 19369->19380 19370->19369 19371->19369 19374 40477a 19372->19374 19373 404859 19373->19369 19374->19373 19375 40480d lstrlenA 19374->19375 19375->19374 19377 404af3 19376->19377 19379 404b03 19376->19379 19378 40ebed 8 API calls 19377->19378 19378->19379 19379->19363 19381 40efb4 19380->19381 19381->19369 19408 4045b3 19382->19408 19385 4045b3 7 API calls 19386 4046c6 19385->19386 19387 4045b3 7 API calls 19386->19387 19388 4046d8 19387->19388 19389 4045b3 7 API calls 19388->19389 19390 4046ea 19389->19390 19391 4045b3 7 API calls 19390->19391 19392 4046ff 19391->19392 19393 4045b3 7 API calls 19392->19393 19394 404711 19393->19394 19395 4045b3 7 API calls 19394->19395 19396 404723 19395->19396 19397 40ef7c 3 API calls 19396->19397 19398 404735 19397->19398 19399 40ef7c 3 API calls 19398->19399 19400 40474a 19399->19400 19401 40ef7c 3 API calls 19400->19401 19402 40475c 19401->19402 19402->19358 19404 404fac 19403->19404 19407 404fb0 19403->19407 19404->19361 19405 404ffd 19405->19361 19406 404fd5 IsBadCodePtr 19406->19407 19407->19405 19407->19406 19409 4045c1 19408->19409 19410 4045c8 19408->19410 19411 40ebcc 4 API calls 19409->19411 19412 40ebcc 4 API calls 19410->19412 19414 4045e1 19410->19414 19411->19410 19412->19414 19413 404691 19413->19385 19414->19413 19415 40ef7c 3 API calls 19414->19415 19415->19414 19431 402d21 GetModuleHandleA 19416->19431 19419 402fcf GetProcessHeap HeapFree 19423 402f44 19419->19423 19420 402f4f 19422 402f6b GetProcessHeap HeapFree 19420->19422 19421 402f85 19421->19419 19421->19421 19422->19423 19423->19261 19425 403900 19424->19425 19426 403980 19424->19426 19427 4030fa 4 API calls 19425->19427 19426->19259 19430 40390a 19427->19430 19428 40391b GetCurrentThreadId 19428->19430 19429 403939 GetCurrentThreadId 19429->19430 19430->19426 19430->19428 19430->19429 19432 402d46 LoadLibraryA 19431->19432 19433 402d5b GetProcAddress 19431->19433 19432->19433 19435 402d54 19432->19435 19433->19435 19437 402d6b 19433->19437 19434 402d97 GetProcessHeap HeapAlloc 19434->19435 19434->19437 19435->19420 19435->19421 19435->19423 19436 402db5 lstrcpynA 19436->19437 19437->19434 19437->19435 19437->19436 19439 40adbf 19438->19439 19463 40ad08 gethostname 19439->19463 19442 4030b5 2 API calls 19443 40add3 19442->19443 19444 40a7a3 inet_ntoa 19443->19444 19451 40ade4 19443->19451 19444->19451 19445 40ae85 wsprintfA 19446 40ef7c 3 API calls 19445->19446 19448 40aebb 19446->19448 19447 40ae36 wsprintfA wsprintfA 19449 40ef7c 3 API calls 19447->19449 19450 40ef7c 3 API calls 19448->19450 19449->19451 19452 40aed2 19450->19452 19451->19445 19451->19447 19453 40b211 19452->19453 19454 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 19453->19454 19455 40b2af GetLocalTime 19453->19455 19456 40b2d2 19454->19456 19455->19456 19457 40b2d9 SystemTimeToFileTime 19456->19457 19458 40b31c GetTimeZoneInformation 19456->19458 19460 40b2ec 19457->19460 19459 40b33a wsprintfA 19458->19459 19459->19310 19461 40b312 FileTimeToSystemTime 19460->19461 19461->19458 19464 40ad71 19463->19464 19469 40ad26 lstrlenA 19463->19469 19466 40ad85 19464->19466 19467 40ad79 lstrcpyA 19464->19467 19466->19442 19467->19466 19468 40ad68 lstrlenA 19468->19464 19469->19464 19469->19468 19471 40f428 14 API calls 19470->19471 19472 40198a 19471->19472 19473 401990 closesocket 19472->19473 19474 401998 19472->19474 19473->19474 19474->19053 19476 402d21 6 API calls 19475->19476 19477 402f01 19476->19477 19478 402f0f 19477->19478 19491 402df2 GetModuleHandleA 19477->19491 19479 402684 2 API calls 19478->19479 19482 402f1f 19478->19482 19481 402f1d 19479->19481 19481->19056 19482->19056 19487 401c80 19483->19487 19484 401d1c 19484->19484 19488 401d47 wsprintfA 19484->19488 19485 401cc2 wsprintfA 19486 402684 2 API calls 19485->19486 19486->19487 19487->19484 19487->19485 19490 401d79 19487->19490 19489 402684 2 API calls 19488->19489 19489->19490 19490->19077 19492 402e10 LoadLibraryA 19491->19492 19493 402e0b 19491->19493 19494 402e17 19492->19494 19493->19492 19493->19494 19495 402ef1 19494->19495 19496 402e28 GetProcAddress 19494->19496 19495->19478 19496->19495 19497 402e3e GetProcessHeap HeapAlloc 19496->19497 19501 402e62 19497->19501 19498 402ede GetProcessHeap HeapFree 19498->19495 19499 402e7f htons inet_addr 19500 402ea5 gethostbyname 19499->19500 19499->19501 19500->19501 19501->19495 19501->19498 19501->19499 19501->19500 19503 402ceb 19501->19503 19504 402cf2 19503->19504 19506 402d1c 19504->19506 19507 402d0e Sleep 19504->19507 19508 402a62 GetProcessHeap HeapAlloc 19504->19508 19506->19501 19507->19504 19507->19506 19509 402a92 19508->19509 19510 402a99 socket 19508->19510 19509->19504 19511 402cd3 GetProcessHeap HeapFree 19510->19511 19512 402ab4 19510->19512 19511->19509 19512->19511 19524 402abd 19512->19524 19513 402adb htons 19528 4026ff 19513->19528 19515 402b04 select 19515->19524 19516 402ca4 19517 402cb3 GetProcessHeap HeapFree closesocket 19516->19517 19517->19509 19518 402b3f recv 19518->19524 19519 402b66 htons 19519->19516 19519->19524 19520 402b87 htons 19520->19516 19520->19524 19523 402bf3 GetProcessHeap HeapAlloc 19523->19524 19524->19513 19524->19515 19524->19516 19524->19517 19524->19518 19524->19519 19524->19520 19524->19523 19525 402c17 htons 19524->19525 19527 402c4d GetProcessHeap HeapFree 19524->19527 19535 402923 19524->19535 19547 402904 19524->19547 19543 402871 19525->19543 19527->19524 19529 40271d 19528->19529 19530 402717 19528->19530 19532 40272b GetTickCount htons 19529->19532 19531 40ebcc 4 API calls 19530->19531 19531->19529 19533 4027cc htons htons sendto 19532->19533 19534 40278a 19532->19534 19533->19524 19534->19533 19536 402944 19535->19536 19537 40293d 19535->19537 19551 402816 htons 19536->19551 19537->19524 19539 402871 htons 19542 402950 19539->19542 19540 4029bd htons htons htons 19540->19537 19541 4029f6 GetProcessHeap HeapAlloc 19540->19541 19541->19537 19541->19542 19542->19537 19542->19539 19542->19540 19544 4028e3 19543->19544 19546 402889 19543->19546 19544->19524 19545 4028c3 htons 19545->19544 19545->19546 19546->19544 19546->19545 19548 402921 19547->19548 19549 402908 19547->19549 19548->19524 19550 402909 GetProcessHeap HeapFree 19549->19550 19550->19548 19550->19550 19552 40286b 19551->19552 19553 402836 19551->19553 19552->19542 19553->19552 19554 40285c htons 19553->19554 19554->19552 19554->19553 19556 406bc0 19555->19556 19557 406bbc 19555->19557 19558 40ebcc 4 API calls 19556->19558 19568 406bd4 19556->19568 19557->19096 19559 406be4 19558->19559 19560 406c07 CreateFileA 19559->19560 19561 406bfc 19559->19561 19559->19568 19562 406c34 WriteFile 19560->19562 19563 406c2a 19560->19563 19564 40ec2e codecvt 4 API calls 19561->19564 19566 406c49 CloseHandle DeleteFileA 19562->19566 19567 406c5a CloseHandle 19562->19567 19565 40ec2e codecvt 4 API calls 19563->19565 19564->19568 19565->19568 19566->19563 19569 40ec2e codecvt 4 API calls 19567->19569 19568->19096 19569->19568 17859 41a770 17862 41a380 17859->17862 17861 41a775 17863 41a3a8 17862->17863 17864 41a438 6 API calls 17863->17864 17874 41a548 17863->17874 17865 41a49f 6 API calls 17864->17865 17866 41a515 GetSystemDefaultLCID 17865->17866 17869 41a524 RtlEnterCriticalSection 17866->17869 17870 41a52f 17866->17870 17867 41a592 GetSystemTimes 17871 41a5b6 17867->17871 17867->17874 17868 41a582 GetUserObjectInformationW 17868->17867 17869->17870 17870->17874 17875 41a538 LoadLibraryW 17870->17875 17872 41a5b4 17871->17872 17873 41a5bf FoldStringW 17871->17873 17876 41a5dd 8 API calls 17872->17876 17877 41a66c GlobalAlloc 17872->17877 17873->17872 17874->17867 17874->17868 17874->17872 17875->17874 17886 41a63c 17876->17886 17879 41a689 17877->17879 17880 41a6bc LoadLibraryW 17877->17880 17879->17880 17889 41a0a0 GetModuleHandleW GetProcAddress VirtualProtect 17880->17889 17882 41a6cc 17890 41a310 17882->17890 17884 41a6e9 GlobalSize 17885 41a6d1 17884->17885 17885->17884 17887 41a713 InterlockedExchange 17885->17887 17888 41a729 17885->17888 17886->17877 17887->17885 17888->17861 17889->17882 17891 41a332 17890->17891 17892 41a326 QueryDosDeviceW 17890->17892 17901 41a1f0 17891->17901 17892->17891 17895 41a345 FreeEnvironmentStringsW 17896 41a34d 17895->17896 17904 41a230 17896->17904 17899 41a364 RtlAllocateHeap GetNumaProcessorNode 17900 41a37a 17899->17900 17900->17885 17902 41a207 GetStartupInfoW LoadLibraryA 17901->17902 17903 41a219 17901->17903 17902->17903 17903->17895 17903->17896 17905 41a265 17904->17905 17906 41a254 BuildCommDCBW 17904->17906 17907 41a283 17905->17907 17908 41a26d WritePrivateProfileStringA UnhandledExceptionFilter 17905->17908 17906->17907 17910 41a2b9 SetCalendarInfoA GetShortPathNameA 17907->17910 17911 41a2e0 17907->17911 17912 41a220 17907->17912 17908->17907 17910->17907 17911->17899 17911->17900 17915 41a1a0 17912->17915 17916 41a1cb 17915->17916 17917 41a1bc VirtualLock 17915->17917 17916->17907 17917->17916 19570 6b0005 19575 6b092b GetPEB 19570->19575 19572 6b0030 19577 6b003c 19572->19577 19576 6b0972 19575->19576 19576->19572 19578 6b0049 19577->19578 19592 6b0e0f SetErrorMode SetErrorMode 19578->19592 19583 6b0265 19584 6b02ce VirtualProtect 19583->19584 19586 6b030b 19584->19586 19585 6b0439 VirtualFree 19590 6b05f4 LoadLibraryA 19585->19590 19591 6b04be 19585->19591 19586->19585 19587 6b04e3 LoadLibraryA 19587->19591 19589 6b08c7 19590->19589 19591->19587 19591->19590 19593 6b0223 19592->19593 19594 6b0d90 19593->19594 19595 6b0dad 19594->19595 19596 6b0dbb GetPEB 19595->19596 19597 6b0238 VirtualAlloc 19595->19597 19596->19597 19597->19583
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                                        • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                        • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                        • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                                      • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                                      • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                                      • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                                      • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                                      • wsprintfA.USER32 ref: 0040A0B6
                                                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                                      • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                                        • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                                      • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                                      • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                                      • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                                      • DeleteFileA.KERNEL32(C:\Users\user\Desktop\uMlLpvdLRU.exe), ref: 0040A407
                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                                                      • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                                      • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                                      • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\uMlLpvdLRU.exe$C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe$D$P$\$yuzqifwu
                                                                                                                      • API String ID: 2089075347-260218807
                                                                                                                      • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                                                      • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                                                      • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                                                      • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 264 41a380-41a3a5 265 41a3a8-41a3ae 264->265 266 41a3b0-41a3ba 265->266 267 41a3bf-41a3c9 265->267 266->267 268 41a3cb-41a3e6 267->268 269 41a3ec-41a3f3 267->269 268->269 269->265 270 41a3f5-41a3fd 269->270 271 41a400-41a406 270->271 273 41a414-41a41e 271->273 274 41a408-41a40e 271->274 275 41a420 273->275 276 41a422-41a429 273->276 274->273 275->276 276->271 277 41a42b-41a432 276->277 278 41a438-41a522 InterlockedDecrement SetConsoleTitleA GlobalSize FindAtomW SearchPathW SetConsoleMode GetDefaultCommConfigW CopyFileExA GetEnvironmentStringsW WriteConsoleOutputW GetNumaHighestNodeNumber DebugActiveProcessStop GetSystemDefaultLCID 277->278 279 41a56a-41a576 277->279 286 41a524-41a529 RtlEnterCriticalSection 278->286 287 41a52f-41a536 278->287 280 41a578-41a580 279->280 284 41a592-41a5a9 GetSystemTimes 280->284 285 41a582-41a58c GetUserObjectInformationW 280->285 288 41a5b6-41a5bd 284->288 289 41a5ab-41a5b2 284->289 285->284 286->287 293 41a548-41a567 287->293 294 41a538-41a542 LoadLibraryW 287->294 291 41a5cf-41a5d7 288->291 292 41a5bf-41a5c9 FoldStringW 288->292 289->280 290 41a5b4 289->290 290->291 295 41a5dd-41a666 GetConsoleAliasesLengthW CallNamedPipeA GetComputerNameW CopyFileA GetFileAttributesW GetConsoleAliasExesLengthW OpenWaitableTimerA GetBinaryTypeW 291->295 296 41a66c-41a687 GlobalAlloc 291->296 292->291 293->279 294->293 295->296 298 41a689-41a694 296->298 299 41a6bc-41a6c7 LoadLibraryW call 41a0a0 296->299 301 41a6a0-41a6b0 298->301 307 41a6cc-41a6df call 41a310 299->307 304 41a6b2 301->304 305 41a6b7-41a6ba 301->305 304->305 305->299 305->301 313 41a6e0-41a6e7 307->313 314 41a6e9-41a6f9 GlobalSize 313->314 315 41a6fd-41a703 313->315 314->315 316 41a705 call 41a090 315->316 317 41a70a-41a711 315->317 316->317 320 41a720-41a727 317->320 321 41a713-41a71a InterlockedExchange 317->321 320->313 323 41a729-41a739 320->323 321->320 325 41a740-41a745 323->325 327 41a747-41a74d 325->327 328 41a74f-41a755 325->328 327->328 329 41a757-41a76b 327->329 328->325 328->329
                                                                                                                      APIs
                                                                                                                      • InterlockedDecrement.KERNEL32(?), ref: 0041A43D
                                                                                                                      • SetConsoleTitleA.KERNEL32(00000000), ref: 0041A445
                                                                                                                      • GlobalSize.KERNEL32(00000000), ref: 0041A44D
                                                                                                                      • FindAtomW.KERNEL32(00000000), ref: 0041A455
                                                                                                                      • SearchPathW.KERNEL32(0041CA08,0041C9CC,0041C98C,00000000,?,?), ref: 0041A479
                                                                                                                      • SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041A483
                                                                                                                      • GetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 0041A4AB
                                                                                                                      • CopyFileExA.KERNEL32(0041CA54,0041CA48,00000000,00000000,00000000,00000000), ref: 0041A4C3
                                                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 0041A4C9
                                                                                                                      • WriteConsoleOutputW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0041A4E8
                                                                                                                      • GetNumaHighestNodeNumber.KERNEL32(?), ref: 0041A4F3
                                                                                                                      • DebugActiveProcessStop.KERNEL32(00000000), ref: 0041A4FB
                                                                                                                      • GetSystemDefaultLCID.KERNEL32 ref: 0041A515
                                                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 0041A529
                                                                                                                      • LoadLibraryW.KERNEL32(00000000), ref: 0041A542
                                                                                                                      • GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041A58C
                                                                                                                      • GetSystemTimes.KERNELBASE(?,?,?), ref: 0041A5A1
                                                                                                                      • FoldStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041A5C9
                                                                                                                      • GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 0041A5EC
                                                                                                                      • CallNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041A5F9
                                                                                                                      • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0041A601
                                                                                                                      • CopyFileA.KERNEL32(0041CAD8,0041CAB0,00000000), ref: 0041A612
                                                                                                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0041A619
                                                                                                                      • GetConsoleAliasExesLengthW.KERNEL32 ref: 0041A61F
                                                                                                                      • OpenWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0041A628
                                                                                                                      • GetBinaryTypeW.KERNEL32(00000000,00000000), ref: 0041A630
                                                                                                                      • GlobalAlloc.KERNELBASE(00000000,004220DC), ref: 0041A66F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734672491.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_415000_bndqedvz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Console$File$CopyDefaultGlobalLengthSystem$ActiveAliasAliasesAllocAtomAttributesBinaryCallCommComputerConfigCriticalDebugDecrementEnterEnvironmentExesFindFoldHighestInformationInterlockedLibraryLoadModeNameNamedNodeNumaNumberObjectOpenOutputPathPipeProcessSearchSectionSizeStopStringStringsTimerTimesTitleTypeUserWaitableWrite
                                                                                                                      • String ID: k`$}$
                                                                                                                      • API String ID: 1387190455-956986773
                                                                                                                      • Opcode ID: 0cdf8472348f809f2fd8f217c0fd777b165f73a7af62ccbf81e5d6157e6b6df5
                                                                                                                      • Instruction ID: 37379827b28c5908f82b0116f8609ffbc644b13a744a3271631f23acd6dce4b9
                                                                                                                      • Opcode Fuzzy Hash: 0cdf8472348f809f2fd8f217c0fd777b165f73a7af62ccbf81e5d6157e6b6df5
                                                                                                                      • Instruction Fuzzy Hash: E4A12471A45310AFD320AB61EC49BDF7B68EB4C705F00803AF659961A0C7785985CBEE

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 671 40637c-406384 672 406386-406389 671->672 673 40638a-4063b4 GetModuleHandleA VirtualAlloc 671->673 674 4063f5-4063f7 673->674 675 4063b6-4063d4 call 40ee08 VirtualAllocEx 673->675 677 40640b-40640f 674->677 675->674 679 4063d6-4063f3 call 4062b7 WriteProcessMemory 675->679 679->674 682 4063f9-40640a 679->682 682->677
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                                                      • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                                      • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1965334864-0
                                                                                                                      • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                                      • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                                      • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                                      • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 331 4073ff-407419 332 40741b 331->332 333 40741d-407422 331->333 332->333 334 407424 333->334 335 407426-40742b 333->335 334->335 336 407430-407435 335->336 337 40742d 335->337 338 407437 336->338 339 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 336->339 337->336 338->339 344 407487-40749d call 40ee2a 339->344 345 4077f9-4077fe call 40ee2a 339->345 351 407703-40770e RegEnumKeyA 344->351 350 407801 345->350 354 407804-407808 350->354 352 4074a2-4074b1 call 406cad 351->352 353 407714-40771d RegCloseKey 351->353 357 4074b7-4074cc call 40f1a5 352->357 358 4076ed-407700 352->358 353->350 357->358 361 4074d2-4074f8 RegOpenKeyExA 357->361 358->351 362 407727-40772a 361->362 363 4074fe-407530 call 402544 RegQueryValueExA 361->363 364 407755-407764 call 40ee2a 362->364 365 40772c-407740 call 40ef00 362->365 363->362 371 407536-40753c 363->371 376 4076df-4076e2 364->376 373 407742-407745 RegCloseKey 365->373 374 40774b-40774e 365->374 375 40753f-407544 371->375 373->374 379 4077ec-4077f7 RegCloseKey 374->379 375->375 378 407546-40754b 375->378 376->358 377 4076e4-4076e7 RegCloseKey 376->377 377->358 378->364 380 407551-40756b call 40ee95 378->380 379->354 380->364 383 407571-407593 call 402544 call 40ee95 380->383 388 407753 383->388 389 407599-4075a0 383->389 388->364 390 4075a2-4075c6 call 40ef00 call 40ed03 389->390 391 4075c8-4075d7 call 40ed03 389->391 397 4075d8-4075da 390->397 391->397 399 4075dc 397->399 400 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 397->400 399->400 409 407626-40762b 400->409 409->409 410 40762d-407634 409->410 411 407637-40763c 410->411 411->411 412 40763e-407642 411->412 413 407644-407656 call 40ed77 412->413 414 40765c-407673 call 40ed23 412->414 413->414 421 407769-40777c call 40ef00 413->421 419 407680 414->419 420 407675-40767e 414->420 423 407683-40768e call 406cad 419->423 420->423 426 4077e3-4077e6 RegCloseKey 421->426 428 407722-407725 423->428 429 407694-4076bf call 40f1a5 call 406c96 423->429 426->379 430 4076dd 428->430 435 4076c1-4076c7 429->435 436 4076d8 429->436 430->376 435->436 437 4076c9-4076d2 435->437 436->430 437->436 438 40777e-407797 GetFileAttributesExA 437->438 439 407799 438->439 440 40779a-40779f 438->440 439->440 441 4077a1 440->441 442 4077a3-4077a8 440->442 441->442 443 4077c4-4077c8 442->443 444 4077aa-4077c0 call 40ee08 442->444 446 4077d7-4077dc 443->446 447 4077ca-4077d6 call 40ef00 443->447 444->443 450 4077e0-4077e2 446->450 451 4077de 446->451 447->446 450->426 451->450
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 00407472
                                                                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 004074F0
                                                                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 00407528
                                                                                                                      • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 004076E7
                                                                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 00407717
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 00407745
                                                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 004077EF
                                                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                                      • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                      • String ID: "
                                                                                                                      • API String ID: 3433985886-123907689
                                                                                                                      • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                                      • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                                      • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                                      • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 453 40405e-40407b CreateEventA 454 404084-4040a8 call 403ecd call 404000 453->454 455 40407d-404081 453->455 460 404130-40413e call 40ee2a 454->460 461 4040ae-4040be call 40ee2a 454->461 466 40413f-404165 call 403ecd CreateNamedPipeA 460->466 461->460 467 4040c0-4040f1 call 40eca5 call 403f18 call 403f8c 461->467 473 404167-404174 Sleep 466->473 474 404188-404193 ConnectNamedPipe 466->474 484 4040f3-4040ff 467->484 485 404127-40412a CloseHandle 467->485 473->466 475 404176-404182 CloseHandle 473->475 477 404195-4041a5 GetLastError 474->477 478 4041ab-4041c0 call 403f8c 474->478 475->474 477->478 480 40425e-404265 DisconnectNamedPipe 477->480 478->474 486 4041c2-4041f2 call 403f18 call 403f8c 478->486 480->474 484->485 487 404101-404121 call 403f18 ExitProcess 484->487 485->460 486->480 494 4041f4-404200 486->494 494->480 495 404202-404215 call 403f8c 494->495 495->480 498 404217-40421b 495->498 498->480 499 40421d-404230 call 403f8c 498->499 499->480 502 404232-404236 499->502 502->474 503 40423c-404251 call 403f18 502->503 506 404253-404259 503->506 507 40426a-404276 CloseHandle * 2 call 40e318 503->507 506->474 509 40427b 507->509 509->509
                                                                                                                      APIs
                                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                                      • ExitProcess.KERNEL32 ref: 00404121
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateEventExitProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2404124870-0
                                                                                                                      • Opcode ID: 7de862f9e9b35a1df311cf9a4407cf261d5ef3a80a072fcdc92d6b04e029e81b
                                                                                                                      • Instruction ID: a90c6c4c2b7f8b8208d93dc1fe438bcf4b3bc6ab1fe170e3c7599fd426c471ab
                                                                                                                      • Opcode Fuzzy Hash: 7de862f9e9b35a1df311cf9a4407cf261d5ef3a80a072fcdc92d6b04e029e81b
                                                                                                                      • Instruction Fuzzy Hash: 3851A3B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 510 6b003c-6b0047 511 6b0049 510->511 512 6b004c-6b0263 call 6b0a3f call 6b0e0f call 6b0d90 VirtualAlloc 510->512 511->512 527 6b028b-6b0292 512->527 528 6b0265-6b0289 call 6b0a69 512->528 529 6b02a1-6b02b0 527->529 531 6b02ce-6b03c2 VirtualProtect call 6b0cce call 6b0ce7 528->531 529->531 532 6b02b2-6b02cc 529->532 539 6b03d1-6b03e0 531->539 532->529 540 6b0439-6b04b8 VirtualFree 539->540 541 6b03e2-6b0437 call 6b0ce7 539->541 543 6b04be-6b04cd 540->543 544 6b05f4-6b05fe 540->544 541->539 545 6b04d3-6b04dd 543->545 546 6b077f-6b0789 544->546 547 6b0604-6b060d 544->547 545->544 551 6b04e3-6b0505 LoadLibraryA 545->551 549 6b078b-6b07a3 546->549 550 6b07a6-6b07b0 546->550 547->546 552 6b0613-6b0637 547->552 549->550 554 6b086e-6b08be LoadLibraryA 550->554 555 6b07b6-6b07cb 550->555 556 6b0517-6b0520 551->556 557 6b0507-6b0515 551->557 558 6b063e-6b0648 552->558 562 6b08c7-6b08f9 554->562 559 6b07d2-6b07d5 555->559 560 6b0526-6b0547 556->560 557->560 558->546 561 6b064e-6b065a 558->561 563 6b07d7-6b07e0 559->563 564 6b0824-6b0833 559->564 565 6b054d-6b0550 560->565 561->546 566 6b0660-6b066a 561->566 567 6b08fb-6b0901 562->567 568 6b0902-6b091d 562->568 569 6b07e2 563->569 570 6b07e4-6b0822 563->570 574 6b0839-6b083c 564->574 571 6b05e0-6b05ef 565->571 572 6b0556-6b056b 565->572 573 6b067a-6b0689 566->573 567->568 569->564 570->559 571->545 575 6b056f-6b057a 572->575 576 6b056d 572->576 577 6b068f-6b06b2 573->577 578 6b0750-6b077a 573->578 574->554 579 6b083e-6b0847 574->579 581 6b059b-6b05bb 575->581 582 6b057c-6b0599 575->582 576->571 583 6b06ef-6b06fc 577->583 584 6b06b4-6b06ed 577->584 578->558 585 6b084b-6b086c 579->585 586 6b0849 579->586 593 6b05bd-6b05db 581->593 582->593 587 6b074b 583->587 588 6b06fe-6b0748 583->588 584->583 585->574 586->554 587->573 588->587 593->565
                                                                                                                      APIs
                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006B024D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual
                                                                                                                      • String ID: cess$kernel32.dll
                                                                                                                      • API String ID: 4275171209-1230238691
                                                                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                      • Instruction ID: 1cbfe1bad8ad953d37be5dc3ae992457c84081cda89f7c9b413a08e1e8265b97
                                                                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                      • Instruction Fuzzy Hash: 275279B5A00229DFDB64CF58C984BA9BBB1BF09304F1480E9E50DAB351DB30AE85DF14

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 594 40977c-4097b9 call 40ee2a CreateProcessA 597 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 594->597 598 4097bb-4097bd 594->598 602 409801-40981c call 40637c 597->602 603 4097f5 597->603 599 409864-409866 598->599 604 4097f6-4097ff TerminateProcess 602->604 607 40981e-409839 WriteProcessMemory 602->607 603->604 604->598 607->603 608 40983b-409856 Wow64SetThreadContext 607->608 608->603 609 409858-409863 ResumeThread 608->609 609->599
                                                                                                                      APIs
                                                                                                                      • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                                                      • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                                                      • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                                                      • String ID: D
                                                                                                                      • API String ID: 2098669666-2746444292
                                                                                                                      • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                                      • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                                      • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                                      • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 610 41a696-41a69d 611 41a6a0-41a6b0 610->611 612 41a6b2 611->612 613 41a6b7-41a6ba 611->613 612->613 613->611 614 41a6bc-41a6df LoadLibraryW call 41a0a0 call 41a310 613->614 619 41a6e0-41a6e7 614->619 620 41a6e9-41a6f9 GlobalSize 619->620 621 41a6fd-41a703 619->621 620->621 622 41a705 call 41a090 621->622 623 41a70a-41a711 621->623 622->623 625 41a720-41a727 623->625 626 41a713-41a71a InterlockedExchange 623->626 625->619 628 41a729-41a739 625->628 626->625 629 41a740-41a745 628->629 630 41a747-41a74d 629->630 631 41a74f-41a755 629->631 630->631 632 41a757-41a76b 630->632 631->629 631->632
                                                                                                                      APIs
                                                                                                                      • LoadLibraryW.KERNELBASE(0041CB10), ref: 0041A6C1
                                                                                                                      • GlobalSize.KERNEL32(00000000), ref: 0041A6EB
                                                                                                                      • InterlockedExchange.KERNEL32(?,00000000), ref: 0041A71A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734672491.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_415000_bndqedvz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExchangeGlobalInterlockedLibraryLoadSize
                                                                                                                      • String ID: k`$}$
                                                                                                                      • API String ID: 1230614907-956986773
                                                                                                                      • Opcode ID: ad299a3146fbd31aa4e72491768b5ec2b553fdd1698bae50372d489600919617
                                                                                                                      • Instruction ID: 3691dabe03090a73b08bcf6b98ad8fa90aa58e4902adf23636a8ed1bf61f499c
                                                                                                                      • Opcode Fuzzy Hash: ad299a3146fbd31aa4e72491768b5ec2b553fdd1698bae50372d489600919617
                                                                                                                      • Instruction Fuzzy Hash: 5C1108307462408AC734AB20DC467DFB761EB48315F15443FE6AA962A1CB7894A1C7DF

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                                      • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                                      • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandle$CreateEvent
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1371578007-0
                                                                                                                      • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                      • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                                      • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                      • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 670 41a0a0-41a195 GetModuleHandleW GetProcAddress VirtualProtect
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleW.KERNEL32(00421FB0), ref: 0041A13E
                                                                                                                      • GetProcAddress.KERNEL32(00000000,00420720), ref: 0041A171
                                                                                                                      • VirtualProtect.KERNELBASE(00421DFC,004220DC,00000040,?), ref: 0041A190
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734672491.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_415000_bndqedvz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2099061454-3916222277
                                                                                                                      • Opcode ID: 66c140271c644cc1f2ccc4ee16bc6603007ca1d7cd4741005967d982a08338d1
                                                                                                                      • Instruction ID: df23f584a4b94a56a47cf0700e1bb303751c1b2e60a1d636fe9a2e96d66d9807
                                                                                                                      • Opcode Fuzzy Hash: 66c140271c644cc1f2ccc4ee16bc6603007ca1d7cd4741005967d982a08338d1
                                                                                                                      • Instruction Fuzzy Hash: 52112964718240DED720CF64FE05B067AF1FBAC784F815238D1548B2B2DBB526468B6D

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 683 404000-404008 684 40400b-40402a CreateFileA 683->684 685 404057 684->685 686 40402c-404035 GetLastError 684->686 687 404059-40405c 685->687 688 404052 686->688 689 404037-40403a 686->689 690 404054-404056 687->690 688->690 689->688 691 40403c-40403f 689->691 691->687 692 404041-404050 Sleep 691->692 692->684 692->688
                                                                                                                      APIs
                                                                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                                                      • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                                                      • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateErrorFileLastSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 408151869-0
                                                                                                                      • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                      • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                                      • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                      • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1209300637-0
                                                                                                                      • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                      • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                                      • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                      • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 694 406e36-406e5d GetUserNameW 695 406ebe-406ec2 694->695 696 406e5f-406e95 LookupAccountNameW 694->696 696->695 697 406e97-406e9b 696->697 698 406ebb-406ebd 697->698 699 406e9d-406ea3 697->699 698->695 699->698 700 406ea5-406eaa 699->700 701 406eb7-406eb9 700->701 702 406eac-406eb0 700->702 701->695 702->698 703 406eb2-406eb5 702->703 703->698 703->701
                                                                                                                      APIs
                                                                                                                      • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Name$AccountLookupUser
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2370142434-0
                                                                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                      • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                      • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 704 6e441e-6e4437 705 6e4439-6e443b 704->705 706 6e443d 705->706 707 6e4442-6e444e CreateToolhelp32Snapshot 705->707 706->707 708 6e445e-6e446b Module32First 707->708 709 6e4450-6e4456 707->709 710 6e446d-6e446e call 6e40dd 708->710 711 6e4474-6e447c 708->711 709->708 714 6e4458-6e445c 709->714 715 6e4473 710->715 714->705 714->708 715->711
                                                                                                                      APIs
                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006E4446
                                                                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 006E4466
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2737258671.00000000006E3000.00000040.00000020.00020000.00000000.sdmp, Offset: 006E3000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6e3000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3833638111-0
                                                                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                      • Instruction ID: c54481a68dd48520dcc6c5b577859663d9b7b2b0c63d03e7ee0a26606bc8d4b2
                                                                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                      • Instruction Fuzzy Hash: E5F0F632201350BBDB203BF6988DBAE72E9EF48724F100128E652915C0CF74EC058A61

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 717 6b0e0f-6b0e24 SetErrorMode * 2 718 6b0e2b-6b0e2c 717->718 719 6b0e26 717->719 719->718
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,006B0223,?,?), ref: 006B0E19
                                                                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,006B0223,?,?), ref: 006B0E1E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2340568224-0
                                                                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                      • Instruction ID: 5ec0122905795958cf8b6ea84eb92189ad46b0a0d2fb6fa6a8bc84ef3f06bca4
                                                                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                      • Instruction Fuzzy Hash: 19D0123114512877D7002A94DC09BCE7F1CDF05B62F008411FB0DD9180C770994147E5

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 720 406dc2-406dd5 721 406e33-406e35 720->721 722 406dd7-406df1 call 406cc9 call 40ef00 720->722 727 406df4-406df9 722->727 727->727 728 406dfb-406e00 727->728 729 406e02-406e22 GetVolumeInformationA 728->729 730 406e24 728->730 729->730 731 406e2e 729->731 730->731 731->721
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                        • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                        • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                                        • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1823874839-0
                                                                                                                      • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                      • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                                      • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                      • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                                                      APIs
                                                                                                                      • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ServiceStatus
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3969395364-0
                                                                                                                      • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                                      • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                                                      • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                                      • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                                                                      APIs
                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006E412E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2737258671.00000000006E3000.00000040.00000020.00020000.00000000.sdmp, Offset: 006E3000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6e3000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4275171209-0
                                                                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                      • Instruction ID: dec849b39e0adcc75bf3005ca7ead91d4f867ae444d7190d734c03e3cc8bdccc
                                                                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                      • Instruction Fuzzy Hash: AA113979A00208EFDB01DF99C985E99BBF5EF08350F1580A4F9489B362D771EA90DF80
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                                      • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateEventSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3100162736-0
                                                                                                                      • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                                                      • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                                                      • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                                                      • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 006B65F6
                                                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 006B6610
                                                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 006B6631
                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 006B6652
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1965334864-0
                                                                                                                      • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                                      • Instruction ID: 4bd01ec6da9f1f18e8a70a1e8ad7fc44212b1e80f68a73fe51c77a47cb7ed226
                                                                                                                      • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                                      • Instruction Fuzzy Hash: 151173B2600218BFDB219F65DC46FDB3FA9EB057A5F104024FA08E7251E7B5DD9087A4
                                                                                                                      APIs
                                                                                                                      • ExitProcess.KERNEL32 ref: 006B9E6D
                                                                                                                      • lstrcpy.KERNEL32(?,00000000), ref: 006B9FE1
                                                                                                                      • lstrcat.KERNEL32(?,?), ref: 006B9FF2
                                                                                                                      • lstrcat.KERNEL32(?,0041070C), ref: 006BA004
                                                                                                                      • GetFileAttributesExA.KERNEL32(?,?,?), ref: 006BA054
                                                                                                                      • DeleteFileA.KERNEL32(?), ref: 006BA09F
                                                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 006BA0D6
                                                                                                                      • lstrcpy.KERNEL32 ref: 006BA12F
                                                                                                                      • lstrlen.KERNEL32(00000022), ref: 006BA13C
                                                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 006B9F13
                                                                                                                        • Part of subcall function 006B7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 006B7081
                                                                                                                        • Part of subcall function 006B6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\eafwolca,006B7043), ref: 006B6F4E
                                                                                                                        • Part of subcall function 006B6F30: GetProcAddress.KERNEL32(00000000), ref: 006B6F55
                                                                                                                        • Part of subcall function 006B6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 006B6F7B
                                                                                                                        • Part of subcall function 006B6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 006B6F92
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 006BA1A2
                                                                                                                      • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 006BA1C5
                                                                                                                      • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 006BA214
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 006BA21B
                                                                                                                      • GetDriveTypeA.KERNEL32(?), ref: 006BA265
                                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 006BA29F
                                                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 006BA2C5
                                                                                                                      • lstrcat.KERNEL32(?,00000022), ref: 006BA2D9
                                                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 006BA2F4
                                                                                                                      • wsprintfA.USER32 ref: 006BA31D
                                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 006BA345
                                                                                                                      • lstrcat.KERNEL32(?,?), ref: 006BA364
                                                                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 006BA387
                                                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 006BA398
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 006BA1D1
                                                                                                                        • Part of subcall function 006B9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 006B999D
                                                                                                                        • Part of subcall function 006B9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 006B99BD
                                                                                                                        • Part of subcall function 006B9966: RegCloseKey.ADVAPI32(?), ref: 006B99C6
                                                                                                                      • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 006BA3DB
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 006BA3E2
                                                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 006BA41D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                                      • String ID: "$"$"$D$P$\
                                                                                                                      • API String ID: 1653845638-2605685093
                                                                                                                      • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                                      • Instruction ID: 5c4c9c5d38c69f00c30ea41f63ae349bda08e306d23cebc31d4b3e4f78aca414
                                                                                                                      • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                                      • Instruction Fuzzy Hash: 4DF130F1D40259AFDF21DBA08C49EEE7BBDAB08304F0484AAF605E2151E7758AC58F65
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                                      • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                                      • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                                                      • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                                                      • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                                                      • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                                      • API String ID: 2238633743-3228201535
                                                                                                                      • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                      • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                                      • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                      • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                                      APIs
                                                                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                                      • wsprintfA.USER32 ref: 0040B3B7
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                                      • API String ID: 766114626-2976066047
                                                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                      • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                      • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 006B7D21
                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 006B7D46
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 006B7D7D
                                                                                                                      • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 006B7DA2
                                                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 006B7DC0
                                                                                                                      • EqualSid.ADVAPI32(?,?), ref: 006B7DD1
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 006B7DE5
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 006B7DF3
                                                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 006B7E03
                                                                                                                      • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 006B7E12
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 006B7E19
                                                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006B7E35
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                      • String ID: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe$D
                                                                                                                      • API String ID: 2976863881-493086155
                                                                                                                      • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                                      • Instruction ID: 4e2a49b303780a28f3f45141dad7bcd9aa070fa366006832f4bd4a3bdc8c9f4a
                                                                                                                      • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                                      • Instruction Fuzzy Hash: C5A14CB1900219AFDB119FA0DD88FEEBBBEFF48340F148069E505E7250DB758A85CB64
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                                      • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                      • String ID: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe$D
                                                                                                                      • API String ID: 2976863881-493086155
                                                                                                                      • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                      • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                                      • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                      • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                                      • API String ID: 2400214276-165278494
                                                                                                                      • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                                      • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                                      • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                                      • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                                      APIs
                                                                                                                      • wsprintfA.USER32 ref: 0040A7FB
                                                                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                                      • wsprintfA.USER32 ref: 0040A8AF
                                                                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                                      • wsprintfA.USER32 ref: 0040A8E2
                                                                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                                      • wsprintfA.USER32 ref: 0040A9B9
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                                      • API String ID: 3650048968-2394369944
                                                                                                                      • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                                      • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                                      • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                                      • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                                      APIs
                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 006B7A96
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 006B7ACD
                                                                                                                      • GetLengthSid.ADVAPI32(?), ref: 006B7ADF
                                                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 006B7B01
                                                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 006B7B1F
                                                                                                                      • EqualSid.ADVAPI32(?,?), ref: 006B7B39
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 006B7B4A
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 006B7B58
                                                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 006B7B68
                                                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 006B7B77
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 006B7B7E
                                                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006B7B9A
                                                                                                                      • GetAce.ADVAPI32(?,?,?), ref: 006B7BCA
                                                                                                                      • EqualSid.ADVAPI32(?,?), ref: 006B7BF1
                                                                                                                      • DeleteAce.ADVAPI32(?,?), ref: 006B7C0A
                                                                                                                      • EqualSid.ADVAPI32(?,?), ref: 006B7C2C
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 006B7CB1
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 006B7CBF
                                                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 006B7CD0
                                                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 006B7CE0
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 006B7CEE
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                      • String ID: D
                                                                                                                      • API String ID: 3722657555-2746444292
                                                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                      • Instruction ID: 6c5e1e8f4022bffd71ebdc9bca60ad62b60e5900099cc5b722cb224e1ba1b24a
                                                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                      • Instruction Fuzzy Hash: 72815DB190421AAFDB11CFA4DD84FEEBFB9AF48304F04806AE505E6250D7759A85CF64
                                                                                                                      APIs
                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                      • String ID: D
                                                                                                                      • API String ID: 3722657555-2746444292
                                                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                      • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                      • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                                      • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                                      • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                                      • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Value$CloseOpenQuery
                                                                                                                      • String ID: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe$localcfg
                                                                                                                      • API String ID: 237177642-3478224671
                                                                                                                      • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                                                      • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                                      • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                                                      • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                                      APIs
                                                                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ExecuteShelllstrlen
                                                                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                                                      • API String ID: 1628651668-1839596206
                                                                                                                      • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                                      • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                                      • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                                      • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                                      APIs
                                                                                                                      • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                                      • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                                      • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                                        • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                                      • API String ID: 4207808166-1381319158
                                                                                                                      • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                                      • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                                                      • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                                      • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                                                      APIs
                                                                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                                      • API String ID: 835516345-270533642
                                                                                                                      • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                      • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                                      • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                      • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 006B865A
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 006B867B
                                                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 006B86A8
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 006B86B1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Value$CloseOpenQuery
                                                                                                                      • String ID: "$C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe
                                                                                                                      • API String ID: 237177642-1929718735
                                                                                                                      • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                                      • Instruction ID: f1bf46f929f46855e42fcd04f3f37a9b265612a67bb396e98ba9973200eebf51
                                                                                                                      • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                                      • Instruction Fuzzy Hash: E4C191F1940109BFEB11ABA4DD85EEE7BBEEB04300F14407AF604E3151EA718AD5CB69
                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 00402A83
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 00402A86
                                                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                                      • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                                      • select.WS2_32 ref: 00402B28
                                                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                                      • htons.WS2_32(?), ref: 00402B71
                                                                                                                      • htons.WS2_32(?), ref: 00402B8C
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1639031587-0
                                                                                                                      • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                                      • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                                      • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                                      • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                                      APIs
                                                                                                                      • ShellExecuteExW.SHELL32(?), ref: 006B1601
                                                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 006B17D8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ExecuteShelllstrlen
                                                                                                                      • String ID: $<$@$D
                                                                                                                      • API String ID: 1628651668-1974347203
                                                                                                                      • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                                      • Instruction ID: e410baf7a7e5af30da6f562a300801daeeb5cd0399b31361967e0f7eb666eace
                                                                                                                      • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                                      • Instruction Fuzzy Hash: 24F1ADF1108341AFD320DF64C898BEAB7E6FB8A300F50892DF5959B390D7B49984CB56
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 006B76D9
                                                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 006B7757
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 006B778F
                                                                                                                      • ___ascii_stricmp.LIBCMT ref: 006B78B4
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 006B794E
                                                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 006B796D
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 006B797E
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 006B79AC
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 006B7A56
                                                                                                                        • Part of subcall function 006BF40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,006B772A,?), ref: 006BF414
                                                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 006B79F6
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 006B7A4D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                      • String ID: "
                                                                                                                      • API String ID: 3433985886-123907689
                                                                                                                      • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                                      • Instruction ID: 27295b0998f55caf9fcd4ce4a13e76b2b216bcae065b51824183e50912d95a1e
                                                                                                                      • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                                      • Instruction Fuzzy Hash: 01C193B1904209AFDB61ABA4DC45FEE7BBAEF85310F1040A5F504E6291EB71DEC48B64
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 004070C2
                                                                                                                      • RegEnumValueA.ADVAPI32(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 0040719E
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10,?,76230F10,00000000), ref: 004071B2
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00407208
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00407291
                                                                                                                      • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 004072D0
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00407314
                                                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 004073D8
                                                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                                      • String ID: $"
                                                                                                                      • API String ID: 4293430545-3817095088
                                                                                                                      • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                                      • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                                      • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                                      • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                                                      APIs
                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 006B2CED
                                                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 006B2D07
                                                                                                                      • htons.WS2_32(00000000), ref: 006B2D42
                                                                                                                      • select.WS2_32 ref: 006B2D8F
                                                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 006B2DB1
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 006B2E62
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 127016686-0
                                                                                                                      • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                                      • Instruction ID: ab0f6b5c08476fbbbc9167ef1f2b2c33828152dc97dc4cb4724b9a8d73801337
                                                                                                                      • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                                      • Instruction Fuzzy Hash: 0761F3B1504306ABC320AF65DC18BEBBBF9FF88341F144819F98497261D7B4D8C18BA6
                                                                                                                      APIs
                                                                                                                      • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                                        • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                        • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                        • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                                        • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                                      • wsprintfA.USER32 ref: 0040AEA5
                                                                                                                        • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                                      • wsprintfA.USER32 ref: 0040AE4F
                                                                                                                      • wsprintfA.USER32 ref: 0040AE5E
                                                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                                      • API String ID: 3631595830-1816598006
                                                                                                                      • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                                      • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                                      • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                                      • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                                      • htons.WS2_32(00000035), ref: 00402E88
                                                                                                                      • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                                      • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                                      • API String ID: 929413710-2099955842
                                                                                                                      • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                      • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                                      • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                      • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                                      APIs
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                                                      • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                                                      • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,76230F10,00000000), ref: 0040688B
                                                                                                                      • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 00406906
                                                                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,76230F10,00000000), ref: 0040691C
                                                                                                                      • CloseHandle.KERNEL32(000000FF,?,76230F10,00000000), ref: 00406971
                                                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2622201749-0
                                                                                                                      • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                      • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                                      • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                      • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                                                      APIs
                                                                                                                      • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                                      • wsprintfA.USER32 ref: 004093CE
                                                                                                                      • wsprintfA.USER32 ref: 0040940C
                                                                                                                      • wsprintfA.USER32 ref: 0040948D
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                      • String ID: runas
                                                                                                                      • API String ID: 3696105349-4000483414
                                                                                                                      • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                                      • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                                                      • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                                      • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                                                      APIs
                                                                                                                      • wsprintfA.USER32 ref: 0040B467
                                                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$wsprintf
                                                                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                                      • API String ID: 1220175532-2340906255
                                                                                                                      • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                      • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                                      • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                      • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                                      APIs
                                                                                                                      • GetVersionExA.KERNEL32 ref: 006B202D
                                                                                                                      • GetSystemInfo.KERNEL32(?), ref: 006B204F
                                                                                                                      • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 006B206A
                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 006B2071
                                                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 006B2082
                                                                                                                      • GetTickCount.KERNEL32 ref: 006B2230
                                                                                                                        • Part of subcall function 006B1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 006B1E7C
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                      • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                                                      • API String ID: 4207808166-1391650218
                                                                                                                      • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                                      • Instruction ID: 25c40fef5e06bfd1e9136d32a7d48409c6e9e73b2a25da020fc226429138068f
                                                                                                                      • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                                      • Instruction Fuzzy Hash: EB51D4F05003446FE370AF758C86FE7BAEDEB54704F00491DF99692242D7B9A9C48769
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 00402078
                                                                                                                      • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                                      • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                                      • GetTickCount.KERNEL32 ref: 00402132
                                                                                                                      • GetTickCount.KERNEL32 ref: 00402142
                                                                                                                        • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                                                        • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                                                        • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                                        • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                                        • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                                      • API String ID: 3976553417-1522128867
                                                                                                                      • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                      • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                                      • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                      • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                                      APIs
                                                                                                                      • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                                      • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: closesockethtonssocket
                                                                                                                      • String ID: time_cfg
                                                                                                                      • API String ID: 311057483-2401304539
                                                                                                                      • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                                      • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                                      • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                                      • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                        • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                                      • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 1553760989-1857712256
                                                                                                                      • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                      • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                                      • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                      • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 006B3068
                                                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 006B3078
                                                                                                                      • GetProcAddress.KERNEL32(00000000,00410408), ref: 006B3095
                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 006B30B6
                                                                                                                      • htons.WS2_32(00000035), ref: 006B30EF
                                                                                                                      • inet_addr.WS2_32(?), ref: 006B30FA
                                                                                                                      • gethostbyname.WS2_32(?), ref: 006B310D
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 006B314D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                      • String ID: iphlpapi.dll
                                                                                                                      • API String ID: 2869546040-3565520932
                                                                                                                      • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                                      • Instruction ID: 8563423c9a6a87528293bea945ac5a5b523114916a72650a232d0c637f98e104
                                                                                                                      • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                                      • Instruction Fuzzy Hash: C53193B1B00216ABDB119BB89C48AEE77BDAF04760F148125E518E7390DB74DAC18B58
                                                                                                                      APIs
                                                                                                                      • GetVersionExA.KERNEL32(?), ref: 006B95A7
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 006B95D5
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 006B95DC
                                                                                                                      • wsprintfA.USER32 ref: 006B9635
                                                                                                                      • wsprintfA.USER32 ref: 006B9673
                                                                                                                      • wsprintfA.USER32 ref: 006B96F4
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 006B9758
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 006B978D
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 006B97D8
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3696105349-0
                                                                                                                      • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                                      • Instruction ID: 33a3cb1ad8b4d67d492f212fdb03cbd963b23e083c4a00e69871bce7fc93824a
                                                                                                                      • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                                      • Instruction Fuzzy Hash: 73A16FF1940208AFEB21DFA0DC45FDA3BADEB05741F10402AFA1596252E775D9C4CBA9
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                      • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                                                                      • API String ID: 3560063639-3847274415
                                                                                                                      • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                                      • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                                      • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                                      • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                                      APIs
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcmpi
                                                                                                                      • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                                      • API String ID: 1586166983-1625972887
                                                                                                                      • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                                      • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                                      • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                                      • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                                      APIs
                                                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                                      • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                                      • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3188212458-0
                                                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                      • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                      • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                                                      APIs
                                                                                                                      • IsBadReadPtr.KERNEL32(?,00000008), ref: 006B67C3
                                                                                                                      • htonl.WS2_32(?), ref: 006B67DF
                                                                                                                      • htonl.WS2_32(?), ref: 006B67EE
                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 006B68F1
                                                                                                                      • ExitProcess.KERNEL32 ref: 006B69BC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Processhtonl$CurrentExitRead
                                                                                                                      • String ID: except_info$localcfg
                                                                                                                      • API String ID: 1430491713-3605449297
                                                                                                                      • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                                      • Instruction ID: ad1428be797c06e35cb4f0e8b6f83faf1583cab4b0f8b81e013b3fa6e7108300
                                                                                                                      • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                                      • Instruction Fuzzy Hash: FA6160B2940208AFDB609FB4DC45FEA77E9FF08300F14806AFA6DD2161DA759990CF54
                                                                                                                      APIs
                                                                                                                      • htons.WS2_32(006BCC84), ref: 006BF5B4
                                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 006BF5CE
                                                                                                                      • closesocket.WS2_32(00000000), ref: 006BF5DC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: closesockethtonssocket
                                                                                                                      • String ID: time_cfg
                                                                                                                      • API String ID: 311057483-2401304539
                                                                                                                      • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                                      • Instruction ID: b614c7865280534aa9c9632b5a6ced31c8737fbec1af767094421a8510ff0bff
                                                                                                                      • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                                      • Instruction Fuzzy Hash: 8B316EB6900118ABDB10DFA5DC89DEFBBBDEF89310F10457AF915D3160E7709A818BA4
                                                                                                                      APIs
                                                                                                                      • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                                      • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                                      • wsprintfA.USER32 ref: 00407036
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                                      • String ID: /%d$|
                                                                                                                      • API String ID: 676856371-4124749705
                                                                                                                      • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                                      • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                                      • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                                      • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 006B2FA1
                                                                                                                      • LoadLibraryA.KERNEL32(?), ref: 006B2FB1
                                                                                                                      • GetProcAddress.KERNEL32(00000000,004103F0), ref: 006B2FC8
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 006B3000
                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 006B3007
                                                                                                                      • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 006B3032
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                      • String ID: dnsapi.dll
                                                                                                                      • API String ID: 1242400761-3175542204
                                                                                                                      • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                                      • Instruction ID: a96281e48dfff0d0a973ee1f708d05a9a42083d5648bdcdaa2dd334407f9e1d6
                                                                                                                      • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                                      • Instruction Fuzzy Hash: 7721A4B1A41226BBCB219B54DC489EEBBBDEF08B50F104421F901E7240D7B49EC187D4
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                                      • API String ID: 1082366364-3395550214
                                                                                                                      • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                                      • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                                      • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                                      • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                                      APIs
                                                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 006B9A18
                                                                                                                      • GetThreadContext.KERNEL32(?,?), ref: 006B9A52
                                                                                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 006B9A60
                                                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 006B9A98
                                                                                                                      • SetThreadContext.KERNEL32(?,00010002), ref: 006B9AB5
                                                                                                                      • ResumeThread.KERNEL32(?), ref: 006B9AC2
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                      • String ID: D
                                                                                                                      • API String ID: 2981417381-2746444292
                                                                                                                      • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                                      • Instruction ID: f2e0e42580501e5d8aa5cdbdab5bb6220977772b2a54f4d1d8c6baeb4dd6b3dd
                                                                                                                      • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                                      • Instruction Fuzzy Hash: 6E213BB1A01219BBDB119BA1DC09EEFBBBDEF04750F404061BA19E1151EB758A84CBA4
                                                                                                                      APIs
                                                                                                                      • inet_addr.WS2_32(004102D8), ref: 006B1C18
                                                                                                                      • LoadLibraryA.KERNEL32(004102C8), ref: 006B1C26
                                                                                                                      • GetProcessHeap.KERNEL32 ref: 006B1C84
                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 006B1C9D
                                                                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 006B1CC1
                                                                                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 006B1D02
                                                                                                                      • FreeLibrary.KERNEL32(?), ref: 006B1D0B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2324436984-0
                                                                                                                      • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                                      • Instruction ID: 84918c03ea162fd62e06558f0c749231b3e352f7220cbf63271e04ef29771a63
                                                                                                                      • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                                      • Instruction Fuzzy Hash: 9E313EB1E00219BFCB119FA4DC988EEBFBAEF46711B64447AE501E6210D7B54EC0DB94
                                                                                                                      APIs
                                                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006B6CE4
                                                                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 006B6D22
                                                                                                                      • GetLastError.KERNEL32 ref: 006B6DA7
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 006B6DB5
                                                                                                                      • GetLastError.KERNEL32 ref: 006B6DD6
                                                                                                                      • DeleteFileA.KERNEL32(?), ref: 006B6DE7
                                                                                                                      • GetLastError.KERNEL32 ref: 006B6DFD
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3873183294-0
                                                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                      • Instruction ID: 2f64cd09de63f185deacac8ea5549fbe2bacf4ee24bc096796643ca526ed0928
                                                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                      • Instruction Fuzzy Hash: 9231E3B6A00249BFCB01DFA4DD44ADEBF7AEF48310F14807AF251E3261D7748A958B65
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\eafwolca,006B7043), ref: 006B6F4E
                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 006B6F55
                                                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 006B6F7B
                                                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 006B6F92
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                      • String ID: C:\Windows\SysWOW64\$\\.\pipe\eafwolca
                                                                                                                      • API String ID: 1082366364-3742500519
                                                                                                                      • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                                      • Instruction ID: 15ca61cffbfacf7e0abe9dac50789dbaf13d2751111648b4266baca4b92553e1
                                                                                                                      • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                                      • Instruction Fuzzy Hash: 442138E174434479F7226735AC89FFB2E4E8B52710F1880A9F504D5292DADD88D6836D
                                                                                                                      APIs
                                                                                                                      • BuildCommDCBW.KERNEL32(00000000,?), ref: 0041A25D
                                                                                                                      • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041A275
                                                                                                                      • UnhandledExceptionFilter.KERNEL32(00000000), ref: 0041A27D
                                                                                                                      • SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,0041C980), ref: 0041A2C4
                                                                                                                      • GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 0041A2D5
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734672491.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_415000_bndqedvz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuildCalendarCommExceptionFilterInfoNamePathPrivateProfileShortStringUnhandledWrite
                                                                                                                      • String ID: -
                                                                                                                      • API String ID: 1417380309-2547889144
                                                                                                                      • Opcode ID: 2c70b2e27553c37d51635817894fb92d35fd66a59e975567011c2500a9255d00
                                                                                                                      • Instruction ID: a6596ea4d5d39f75678243f646b5f7fb3d1533af8648bb96340218ed538d7df8
                                                                                                                      • Opcode Fuzzy Hash: 2c70b2e27553c37d51635817894fb92d35fd66a59e975567011c2500a9255d00
                                                                                                                      • Instruction Fuzzy Hash: BA212970745304ABD760DF64EC85BDE7BA4EB0C711F5000E9F709AA2C1CA7519C18B5E
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen
                                                                                                                      • String ID: $localcfg
                                                                                                                      • API String ID: 1659193697-2018645984
                                                                                                                      • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                                      • Instruction ID: 74053ba8178b23985ab5d92ef51cb47675ff35c71b4fc412fe83397c9531a25c
                                                                                                                      • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                                      • Instruction Fuzzy Hash: AC711AF1A40314AADF319BD8DC85FEE3B6B9F00705F24442BF904A62A1DB629DC4875B
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                        • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                                                      • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                                      • String ID: flags_upd$localcfg
                                                                                                                      • API String ID: 204374128-3505511081
                                                                                                                      • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                                      • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                                      • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                                      • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 006BDF6C: GetCurrentThreadId.KERNEL32 ref: 006BDFBA
                                                                                                                      • lstrcmp.KERNEL32(00410178,00000000), ref: 006BE8FA
                                                                                                                      • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,006B6128), ref: 006BE950
                                                                                                                      • lstrcmp.KERNEL32(?,00000008), ref: 006BE989
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                                      • String ID: A$ A$ A
                                                                                                                      • API String ID: 2920362961-1846390581
                                                                                                                      • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                                      • Instruction ID: 0536a573064547d0b04232564c4ad65d176856580b32ba604d7145b37bb6168a
                                                                                                                      • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                                      • Instruction Fuzzy Hash: 6F31DEB16007059FDB71AF24C884BE63BEAEB04321F10892AE55687652D376E8C8CB85
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Code
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3609698214-0
                                                                                                                      • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                                      • Instruction ID: f459e290a05e33cf45612fcb91665dcf790117a2189e053b51c5553fb3d88190
                                                                                                                      • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                                      • Instruction Fuzzy Hash: CB215EBA108119BFDB109B70FC49EDF3FAEEB49361B208425F502D1091EB75DA829778
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Code
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3609698214-0
                                                                                                                      • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                      • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                                      • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                      • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                                      APIs
                                                                                                                      • GetTempPathA.KERNEL32(00000400,?), ref: 006B92E2
                                                                                                                      • wsprintfA.USER32 ref: 006B9350
                                                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 006B9375
                                                                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 006B9389
                                                                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 006B9394
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 006B939B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2439722600-0
                                                                                                                      • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                                      • Instruction ID: 1be7b2fe78daf1b1c9082bd96cd65f8ca3822c15a3a88750ea45fa635b720791
                                                                                                                      • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                                      • Instruction Fuzzy Hash: 8F1175F16401147BE7606B31DC0EFEF3A6EDBC5B10F008069BB05A5092EEB54A818768
                                                                                                                      APIs
                                                                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                                      • wsprintfA.USER32 ref: 004090E9
                                                                                                                      • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2439722600-0
                                                                                                                      • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                                      • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                                      • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                                      • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                                      • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,0040E538,?,76230F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                                      • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3819781495-0
                                                                                                                      • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                      • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                                      • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                      • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 006BC6B4
                                                                                                                      • InterlockedIncrement.KERNEL32(006BC74B), ref: 006BC715
                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,006BC747), ref: 006BC728
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,006BC747,00413588,006B8A77), ref: 006BC733
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 1026198776-1857712256
                                                                                                                      • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                                      • Instruction ID: 23ded12b5c176d12ee769dc57cdfddf77dfe4e10016bc28ce02b4ece58f86a1f
                                                                                                                      • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                                      • Instruction Fuzzy Hash: 3A516DB1A00B418FD7748F69C5C556ABBEAFB48310B50593EE18BC7A90EB74F980CB14
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 0040815F
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408187
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 004081BE
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408210
                                                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                                                        • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                                                        • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                                                        • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                                      • String ID: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe
                                                                                                                      • API String ID: 124786226-729601064
                                                                                                                      • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                                                      • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                                      • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                                                      • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                                      APIs
                                                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,006BE50A,00000000,00000000,00000000,00020106,00000000,006BE50A,00000000,000000E4), ref: 006BE319
                                                                                                                      • RegSetValueExA.ADVAPI32(006BE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 006BE38E
                                                                                                                      • RegDeleteValueA.ADVAPI32(006BE50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dk), ref: 006BE3BF
                                                                                                                      • RegCloseKey.ADVAPI32(006BE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dk,006BE50A), ref: 006BE3C8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Value$CloseCreateDelete
                                                                                                                      • String ID: Dk
                                                                                                                      • API String ID: 2667537340-2856625741
                                                                                                                      • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                                      • Instruction ID: 4cc6f4fbd06c128ed311dcccea2bd4c17da698489058b4e577cb930936ab2250
                                                                                                                      • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                                      • Instruction Fuzzy Hash: 58213071A0021DBBDF209FA5EC85EDE7FB9EF08750F048065F904E7161E6728A94D790
                                                                                                                      APIs
                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 006B71E1
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 006B7228
                                                                                                                      • LocalFree.KERNEL32(?,?,?), ref: 006B7286
                                                                                                                      • wsprintfA.USER32 ref: 006B729D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                                      • String ID: |
                                                                                                                      • API String ID: 2539190677-2343686810
                                                                                                                      • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                                      • Instruction ID: 09d3af7159d2dcfeb0ac0dfbdfc522f6efa54dfff2d850ef965bc7f5b641d2a0
                                                                                                                      • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                                      • Instruction Fuzzy Hash: 60314DB2904108BFCB01DFA8DC45ADA3BADEF04314F14C066F959DB251EA75D7888BA4
                                                                                                                      APIs
                                                                                                                      • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                                                                      • String ID: LocalHost
                                                                                                                      • API String ID: 3695455745-3154191806
                                                                                                                      • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                      • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                                      • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                      • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                                      • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: QueryValue$CloseOpen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1586453840-0
                                                                                                                      • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                                      • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                                      • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                                      • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                                      APIs
                                                                                                                      • GetLocalTime.KERNEL32(?), ref: 006BB51A
                                                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006BB529
                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 006BB548
                                                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 006BB590
                                                                                                                      • wsprintfA.USER32 ref: 006BB61E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4026320513-0
                                                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                      • Instruction ID: 9c11a758eba6fa2df1a945dd717de70b1c48309a7c81316d1b213546623a8ccf
                                                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                      • Instruction Fuzzy Hash: E55100B1D0021DAACF24DFD5D8895EEBBB9BF48304F10816AF505A6150E7F94AC9CF98
                                                                                                                      APIs
                                                                                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 006B6303
                                                                                                                      • LoadLibraryA.KERNEL32(?), ref: 006B632A
                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 006B63B1
                                                                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 006B6405
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2438460464-0
                                                                                                                      • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                                      • Instruction ID: 68eabd08c11c9f1f8b7fc32a638833010fd6402f4ce3bb1f1341f352a82d09e1
                                                                                                                      • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                                      • Instruction Fuzzy Hash: 724147B1A00619ABDB14CF58C884BE9B7EAEF04358F288169F915D7390E779ED81CB50
                                                                                                                      APIs
                                                                                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                                                                      • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2438460464-0
                                                                                                                      • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                      • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                                      • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                      • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                                      • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                                      • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                                      • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                      • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,00405EC1), ref: 0040E693
                                                                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                                      • lstrcmpA.KERNEL32(?,00000008,?,76230F10,00000000,?,00405EC1), ref: 0040E722
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                                      • String ID: A$ A
                                                                                                                      • API String ID: 3343386518-686259309
                                                                                                                      • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                      • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                                      • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                      • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                                      • htons.WS2_32(00000001), ref: 00402752
                                                                                                                      • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                                      • htons.WS2_32(00000001), ref: 004027E3
                                                                                                                      • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                                        • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                                        • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1802437671-0
                                                                                                                      • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                                      • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                                      • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                                      • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                                      APIs
                                                                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: setsockopt
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3981526788-0
                                                                                                                      • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                      • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                                      • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                      • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 006B93C6
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 006B93CD
                                                                                                                      • CharToOemA.USER32(?,?), ref: 006B93DB
                                                                                                                      • wsprintfA.USER32 ref: 006B9410
                                                                                                                        • Part of subcall function 006B92CB: GetTempPathA.KERNEL32(00000400,?), ref: 006B92E2
                                                                                                                        • Part of subcall function 006B92CB: wsprintfA.USER32 ref: 006B9350
                                                                                                                        • Part of subcall function 006B92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 006B9375
                                                                                                                        • Part of subcall function 006B92CB: lstrlen.KERNEL32(?,?,00000000), ref: 006B9389
                                                                                                                        • Part of subcall function 006B92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 006B9394
                                                                                                                        • Part of subcall function 006B92CB: CloseHandle.KERNEL32(00000000), ref: 006B939B
                                                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 006B9448
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3857584221-0
                                                                                                                      • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                                      • Instruction ID: 9db4bccc620a3744e032da898d5bb17b0e6f02c36b390199d231dbfb049ed944
                                                                                                                      • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                                      • Instruction Fuzzy Hash: E9019EF69001187BDB20A7619D89EDF3B7CDB85701F0040A6BB09E2080EAB49BC58F79
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                                      • CharToOemA.USER32(?,?), ref: 00409174
                                                                                                                      • wsprintfA.USER32 ref: 004091A9
                                                                                                                        • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                                        • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                                        • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                        • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                        • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                        • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3857584221-0
                                                                                                                      • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                                      • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                                      • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                                      • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                                      APIs
                                                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$lstrcmpi
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 1808961391-1857712256
                                                                                                                      • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                      • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                                      • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                      • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                                      • API String ID: 2574300362-1087626847
                                                                                                                      • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                      • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                                      • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                      • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                      • String ID: hi_id$localcfg
                                                                                                                      • API String ID: 2777991786-2393279970
                                                                                                                      • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                      • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                                      • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                      • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                                      APIs
                                                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                                      • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                      • String ID: *p@
                                                                                                                      • API String ID: 3429775523-2474123842
                                                                                                                      • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                      • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                                      • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                      • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: gethostbynameinet_addr
                                                                                                                      • String ID: time_cfg$u6A
                                                                                                                      • API String ID: 1594361348-1940331995
                                                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                      • Instruction ID: 2b543db22de2a1722aedc879ff42c815d961ec5518d060d3a3f7d84f873e3c12
                                                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                      • Instruction Fuzzy Hash: BBE0C2306041229FCB009B2CF848AC637E6EF0A330F008580F044C32A0C734DCC09780
                                                                                                                      APIs
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 006B69E5
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 006B6A26
                                                                                                                      • GetFileSize.KERNEL32(000000FF,00000000), ref: 006B6A3A
                                                                                                                      • CloseHandle.KERNEL32(000000FF), ref: 006B6BD8
                                                                                                                        • Part of subcall function 006BEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,006B1DCF,?), ref: 006BEEA8
                                                                                                                        • Part of subcall function 006BEE95: HeapFree.KERNEL32(00000000), ref: 006BEEAF
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3384756699-0
                                                                                                                      • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                                      • Instruction ID: 930ff50f156b4da0f67ee69f8894bb97a8a50beff4a971d08a2575a6198077a7
                                                                                                                      • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                                      • Instruction Fuzzy Hash: 1A7107B190021DEFDF119FA4CC809EEBBBAFB04354F10456AF515E6290D7349E92DB50
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf
                                                                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                                      • API String ID: 2111968516-120809033
                                                                                                                      • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                      • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                                      • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                      • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                                      APIs
                                                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                                      • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                                                      • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                                                      • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Value$CloseCreateDelete
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2667537340-0
                                                                                                                      • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                                      • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                                      • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                                      • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                                      APIs
                                                                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 006B41AB
                                                                                                                      • GetLastError.KERNEL32 ref: 006B41B5
                                                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 006B41C6
                                                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 006B41D9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3373104450-0
                                                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                      • Instruction ID: 5a34bea5c9dfc7e56ca08f76080b8e730c461b1cece87c3911cffb5e72414fdc
                                                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                      • Instruction Fuzzy Hash: 09014C7691110AAFDF01DF94ED84BEF3B6DEB18355F004061F901E2150DB70DA908BB5
                                                                                                                      APIs
                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 006B421F
                                                                                                                      • GetLastError.KERNEL32 ref: 006B4229
                                                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 006B423A
                                                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 006B424D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 888215731-0
                                                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                      • Instruction ID: c163c1a251810128c633f55dc3141daa9a8a34e2700b5e1d4b73a0c081c3278a
                                                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                      • Instruction Fuzzy Hash: C401A5B2911109ABDF01DF90ED84BEE7BADEB08355F108461F901E2151DB709A949BB6
                                                                                                                      APIs
                                                                                                                      • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                                      • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3373104450-0
                                                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                      • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                      • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                                      APIs
                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                                      • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 888215731-0
                                                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                      • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                      • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                                      APIs
                                                                                                                      • lstrcmp.KERNEL32(?,80000009), ref: 006BE066
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcmp
                                                                                                                      • String ID: A$ A$ A
                                                                                                                      • API String ID: 1534048567-1846390581
                                                                                                                      • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                                      • Instruction ID: 8f61d6842d1c0a7df0d632f66cfa5ea2b857aa46adb3c36a28dce09f3e7abe17
                                                                                                                      • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                                      • Instruction Fuzzy Hash: A3F062B12007029BCB20DF25D884AC2B7FAFB15321B44862BE155C3260D3B5A8E8CB51
                                                                                                                      APIs
                                                                                                                      • QueryDosDeviceW.KERNEL32(00000000,00000000,00000000,00000000,0041B044,0041A6D1), ref: 0041A32C
                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000,00000000,0041B044,0041A6D1), ref: 0041A347
                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0041A36A
                                                                                                                      • GetNumaProcessorNode.KERNEL32(00000000,00000000), ref: 0041A374
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734672491.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_415000_bndqedvz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2305449109-0
                                                                                                                      • Opcode ID: 817948169098ee1c181d8f2d6ff3379bb376ad68d85d1d4e020b05e7d4706848
                                                                                                                      • Instruction ID: 6d2837cc59693e195cef3f5a479ad1203b8954106daa288a17772126bb345ff7
                                                                                                                      • Opcode Fuzzy Hash: 817948169098ee1c181d8f2d6ff3379bb376ad68d85d1d4e020b05e7d4706848
                                                                                                                      • Instruction Fuzzy Hash: 60F0FE31785204FBEA30A7A4ED4AF963764E718716F508032F715A92E0D6A42895CE6E
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                                      • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2207858713-0
                                                                                                                      • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                      • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                                      • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                      • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                                      • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2207858713-0
                                                                                                                      • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                      • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                                      • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                      • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                                      • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                                      • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                                      • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2207858713-0
                                                                                                                      • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                      • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                                      • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                      • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 00403103
                                                                                                                      • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                                      • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2207858713-0
                                                                                                                      • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                      • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                                      • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                      • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                                      APIs
                                                                                                                      • WriteFile.KERNEL32(00000001,Dk,00000000,00000000,00000000), ref: 006BE470
                                                                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 006BE484
                                                                                                                        • Part of subcall function 006BE2FC: RegCreateKeyExA.ADVAPI32(80000001,006BE50A,00000000,00000000,00000000,00020106,00000000,006BE50A,00000000,000000E4), ref: 006BE319
                                                                                                                        • Part of subcall function 006BE2FC: RegSetValueExA.ADVAPI32(006BE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 006BE38E
                                                                                                                        • Part of subcall function 006BE2FC: RegDeleteValueA.ADVAPI32(006BE50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dk), ref: 006BE3BF
                                                                                                                        • Part of subcall function 006BE2FC: RegCloseKey.ADVAPI32(006BE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dk,006BE50A), ref: 006BE3C8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                                      • String ID: Dk
                                                                                                                      • API String ID: 4151426672-2856625741
                                                                                                                      • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                                      • Instruction ID: 7bbdb8af29cf22917ea4a947e496e2295b544a8d413c1bf88761fbcdf6ad2bc2
                                                                                                                      • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                                      • Instruction Fuzzy Hash: 4841BAF2900214BAEB306B558C46FDB3BADDF05724F148139FA0994192E7B6CAD0D7B9
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 006B83C6
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 006B8477
                                                                                                                        • Part of subcall function 006B69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 006B69E5
                                                                                                                        • Part of subcall function 006B69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 006B6A26
                                                                                                                        • Part of subcall function 006B69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 006B6A3A
                                                                                                                        • Part of subcall function 006BEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,006B1DCF,?), ref: 006BEEA8
                                                                                                                        • Part of subcall function 006BEE95: HeapFree.KERNEL32(00000000), ref: 006BEEAF
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                                      • String ID: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe
                                                                                                                      • API String ID: 359188348-729601064
                                                                                                                      • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                                      • Instruction ID: c2e9182f06fbab6fab5434b4d706d346d245c3935e2e72656f2fd83f94895bf1
                                                                                                                      • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                                      • Instruction Fuzzy Hash: 534150F290110ABEEB10ABA49E81DFF77AEEB04340F1444AAF504D7151EAB19AD5CB64
                                                                                                                      APIs
                                                                                                                      • GetLocalTime.KERNEL32(?), ref: 006BAFFF
                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 006BB00D
                                                                                                                        • Part of subcall function 006BAF6F: gethostname.WS2_32(?,00000080), ref: 006BAF83
                                                                                                                        • Part of subcall function 006BAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 006BAFE6
                                                                                                                        • Part of subcall function 006B331C: gethostname.WS2_32(?,00000080), ref: 006B333F
                                                                                                                        • Part of subcall function 006B331C: gethostbyname.WS2_32(?), ref: 006B3349
                                                                                                                        • Part of subcall function 006BAA0A: inet_ntoa.WS2_32(00000000), ref: 006BAA10
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                      • String ID: %OUTLOOK_BND_
                                                                                                                      • API String ID: 1981676241-3684217054
                                                                                                                      • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                                      • Instruction ID: fa46622967c40357ad717dfcb3ffdd1d8d1ca4161840553c4f020f83c8059f87
                                                                                                                      • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                                      • Instruction Fuzzy Hash: 404144B290020CABDB65EFA4DC46EEF3B6DFF04304F14442AF92492162EB75D6948B58
                                                                                                                      APIs
                                                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 006B9536
                                                                                                                      • Sleep.KERNEL32(000001F4), ref: 006B955D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ExecuteShellSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4194306370-3916222277
                                                                                                                      • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                                      • Instruction ID: 25e3eb5d971479210e59fa89943929a8cb4874589d42bb6192ef9a50cacd86a9
                                                                                                                      • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                                      • Instruction Fuzzy Hash: B441F5F28443986EEB378B64D8987F63BE69B02314F2441A5D686972A2D6744DC2C731
                                                                                                                      APIs
                                                                                                                      • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                                      • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: FileWrite
                                                                                                                      • String ID: ,k@
                                                                                                                      • API String ID: 3934441357-1053005162
                                                                                                                      • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                      • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                                      • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                      • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 006BB9D9
                                                                                                                      • InterlockedIncrement.KERNEL32(00413648), ref: 006BBA3A
                                                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 006BBA94
                                                                                                                      • GetTickCount.KERNEL32 ref: 006BBB79
                                                                                                                      • GetTickCount.KERNEL32 ref: 006BBB99
                                                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 006BBE15
                                                                                                                      • closesocket.WS2_32(00000000), ref: 006BBEB4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                                      • String ID: %FROM_EMAIL
                                                                                                                      • API String ID: 1869671989-2903620461
                                                                                                                      • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                                      • Instruction ID: a89054514313d45f67cc999684ef9ffeb2e840fc5a1a052ea1c340f5be6d0c6a
                                                                                                                      • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                                      • Instruction Fuzzy Hash: 7831B1B1500248DFDF65DFA4DC85AED77BAEB48700F20405AFA2482161DBB4DAC6CF14
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 536389180-1857712256
                                                                                                                      • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                                      • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                                                      • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                                      • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTickwsprintf
                                                                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                                      • API String ID: 2424974917-1012700906
                                                                                                                      • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                      • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                                      • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                      • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                                        • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                                      • String ID: %FROM_EMAIL
                                                                                                                      • API String ID: 3716169038-2903620461
                                                                                                                      • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                      • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                                      • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                      • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                                      APIs
                                                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 006B70BC
                                                                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 006B70F4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Name$AccountLookupUser
                                                                                                                      • String ID: |
                                                                                                                      • API String ID: 2370142434-2343686810
                                                                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                      • Instruction ID: cdeacaa47fa52bc7df9677e09817c03b854a777e7c1fd6521c85a1e140859660
                                                                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                      • Instruction Fuzzy Hash: 321121B290411CEBDF11CFD8DC84ADEB7BEAB45711F1841A6E501E6190D7709B88DBB0
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 2777991786-1857712256
                                                                                                                      • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                      • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                                      • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                      • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                                      APIs
                                                                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                                      • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                                                                      • String ID: %FROM_EMAIL
                                                                                                                      • API String ID: 224340156-2903620461
                                                                                                                      • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                      • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                                      • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                      • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                                      APIs
                                                                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                                      • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 2112563974-1857712256
                                                                                                                      • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                      • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                                      • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                      • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                                      APIs
                                                                                                                      • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                                                      • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: gethostbynameinet_addr
                                                                                                                      • String ID: time_cfg
                                                                                                                      • API String ID: 1594361348-2401304539
                                                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                      • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                      • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000), ref: 0040EAF2
                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: ntdll.dll
                                                                                                                      • API String ID: 2574300362-2227199552
                                                                                                                      • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                      • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                                      • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                      • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 006B2F88: GetModuleHandleA.KERNEL32(?), ref: 006B2FA1
                                                                                                                        • Part of subcall function 006B2F88: LoadLibraryA.KERNEL32(?), ref: 006B2FB1
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006B31DA
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 006B31E1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2736938227.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_6b0000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1017166417-0
                                                                                                                      • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                                      • Instruction ID: bdb9d342fc083dba44b2461bd35db4b3d59f00c650d890a9dbdbcd9b347af529
                                                                                                                      • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                                      • Instruction Fuzzy Hash: DB51AEB1A00256EFCB019F68DC849FAB77AFF15300B144168EC9687321E732DB99CB94
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                        • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 0000000C.00000002.2734567554.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_12_2_400000_bndqedvz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1017166417-0
                                                                                                                      • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                                      • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                                      • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                                      • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:15.1%
                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                      Signature Coverage:0.7%
                                                                                                                      Total number of Nodes:1807
                                                                                                                      Total number of Limit Nodes:18
                                                                                                                      execution_graph 7897 39be31 lstrcmpiA 7898 39be55 lstrcmpiA 7897->7898 7904 39be71 7897->7904 7899 39be61 lstrcmpiA 7898->7899 7898->7904 7899->7904 7909 39bfc8 7899->7909 7900 39bf62 lstrcmpiA 7901 39bf70 7900->7901 7902 39bf77 lstrcmpiA 7900->7902 7905 39bfc2 7901->7905 7906 39ec2e codecvt 4 API calls 7901->7906 7901->7909 7902->7901 7903 39bf8c lstrcmpiA 7902->7903 7903->7901 7904->7900 7907 39ebcc 4 API calls 7904->7907 7908 39ec2e codecvt 4 API calls 7905->7908 7906->7901 7912 39beb6 7907->7912 7908->7909 7910 39bf5a 7910->7900 7911 39ebcc 4 API calls 7911->7912 7912->7900 7912->7909 7912->7910 7912->7911 7913 395d34 IsBadWritePtr 7914 395d47 7913->7914 7915 395d4a 7913->7915 7918 395389 7915->7918 7919 394bd1 4 API calls 7918->7919 7920 3953a5 7919->7920 7921 394ae6 8 API calls 7920->7921 7924 3953ad 7921->7924 7922 395407 7923 394ae6 8 API calls 7923->7924 7924->7922 7924->7923 7925 395029 7930 394a02 7925->7930 7931 394a18 7930->7931 7932 394a12 7930->7932 7933 394a26 7931->7933 7935 39ec2e codecvt 4 API calls 7931->7935 7934 39ec2e codecvt 4 API calls 7932->7934 7936 39ec2e codecvt 4 API calls 7933->7936 7937 394a34 7933->7937 7934->7931 7935->7933 7936->7937 6124 399a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6240 39ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6124->6240 6126 399a95 6127 399aa3 GetModuleHandleA GetModuleFileNameA 6126->6127 6132 39a3cc 6126->6132 6136 399ac4 6127->6136 6128 39a41c CreateThread WSAStartup 6241 39e52e 6128->6241 7316 39405e CreateEventA 6128->7316 6130 399afd GetCommandLineA 6140 399b22 6130->6140 6131 39a406 DeleteFileA 6131->6132 6133 39a40d 6131->6133 6132->6128 6132->6131 6132->6133 6137 39a3ed GetLastError 6132->6137 6133->6128 6134 39a445 6260 39eaaf 6134->6260 6136->6130 6137->6133 6138 39a3f8 Sleep 6137->6138 6138->6131 6139 39a44d 6264 391d96 6139->6264 6144 399c0c 6140->6144 6151 399b47 6140->6151 6142 39a457 6312 3980c9 6142->6312 6504 3996aa 6144->6504 6155 399b96 lstrlenA 6151->6155 6160 399b58 6151->6160 6152 399c39 6156 39a167 GetModuleHandleA GetModuleFileNameA 6152->6156 6510 394280 CreateEventA 6152->6510 6153 39a1d2 6161 39a1e3 GetCommandLineA 6153->6161 6155->6160 6158 39a189 6156->6158 6159 399c05 ExitProcess 6156->6159 6158->6159 6168 39a1b2 GetDriveTypeA 6158->6168 6160->6159 6463 39675c 6160->6463 6183 39a205 6161->6183 6168->6159 6170 39a1c5 6168->6170 6611 399145 GetModuleHandleA GetModuleFileNameA CharToOemA 6170->6611 6171 39675c 21 API calls 6173 399c79 6171->6173 6173->6156 6180 399e3e 6173->6180 6181 399ca0 GetTempPathA 6173->6181 6174 399bff 6174->6159 6176 39a49f GetTickCount 6177 39a491 6176->6177 6178 39a4be Sleep 6176->6178 6177->6176 6177->6178 6186 39a4b7 GetTickCount 6177->6186 6359 39c913 6177->6359 6178->6177 6189 399e6b GetEnvironmentVariableA 6180->6189 6191 399e04 6180->6191 6181->6180 6182 399cba 6181->6182 6536 3999d2 lstrcpyA 6182->6536 6190 39a285 lstrlenA 6183->6190 6201 39a239 6183->6201 6186->6178 6189->6191 6192 399e7d 6189->6192 6190->6201 6606 39ec2e 6191->6606 6193 3999d2 16 API calls 6192->6193 6195 399e9d 6193->6195 6195->6191 6198 399eb0 lstrcpyA lstrlenA 6195->6198 6196 399d5f 6550 396cc9 6196->6550 6200 399ef4 6198->6200 6199 39a3c2 6623 3998f2 6199->6623 6204 396dc2 6 API calls 6200->6204 6208 399f03 6200->6208 6201->6201 6619 396ec3 6201->6619 6204->6208 6205 39a39d StartServiceCtrlDispatcherA 6205->6199 6206 399d72 lstrcpyA lstrcatA lstrcatA 6212 399cf6 6206->6212 6207 39a3c7 6207->6132 6209 399f32 RegOpenKeyExA 6208->6209 6211 399f48 RegSetValueExA RegCloseKey 6209->6211 6215 399f70 6209->6215 6210 39a35f 6210->6199 6210->6205 6211->6215 6559 399326 6212->6559 6220 399f9d GetModuleHandleA GetModuleFileNameA 6215->6220 6216 399dde GetFileAttributesExA 6217 399e0c DeleteFileA 6216->6217 6218 399df7 6216->6218 6217->6180 6218->6191 6596 3996ff 6218->6596 6222 39a093 6220->6222 6223 399fc2 6220->6223 6224 39a103 CreateProcessA 6222->6224 6225 39a0a4 wsprintfA 6222->6225 6223->6222 6229 399ff1 GetDriveTypeA 6223->6229 6226 39a13a 6224->6226 6227 39a12a DeleteFileA 6224->6227 6602 392544 6225->6602 6226->6191 6233 3996ff 3 API calls 6226->6233 6227->6226 6229->6222 6231 39a00d 6229->6231 6235 39a02d lstrcatA 6231->6235 6233->6191 6236 39a046 6235->6236 6237 39a052 lstrcatA 6236->6237 6238 39a064 lstrcatA 6236->6238 6237->6238 6238->6222 6239 39a081 lstrcatA 6238->6239 6239->6222 6240->6126 6630 39dd05 GetTickCount 6241->6630 6243 39e538 6638 39dbcf 6243->6638 6245 39e544 6246 39e555 GetFileSize 6245->6246 6250 39e5b8 6245->6250 6247 39e5b1 CloseHandle 6246->6247 6248 39e566 6246->6248 6247->6250 6662 39db2e 6248->6662 6648 39e3ca RegOpenKeyExA 6250->6648 6252 39e576 ReadFile 6252->6247 6254 39e58d 6252->6254 6666 39e332 6254->6666 6257 39e5f2 6258 39e3ca 19 API calls 6257->6258 6259 39e629 6257->6259 6258->6259 6259->6134 6261 39eabe 6260->6261 6262 39eaba 6260->6262 6261->6262 6263 39dd05 6 API calls 6261->6263 6262->6139 6263->6262 6265 39ee2a 6264->6265 6266 391db4 GetVersionExA 6265->6266 6267 391dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6266->6267 6269 391e24 6267->6269 6270 391e16 GetCurrentProcess 6267->6270 6724 39e819 6269->6724 6270->6269 6272 391e3d 6273 39e819 11 API calls 6272->6273 6274 391e4e 6273->6274 6275 391e77 6274->6275 6765 39df70 6274->6765 6731 39ea84 6275->6731 6279 391e6c 6281 39df70 12 API calls 6279->6281 6280 39e819 11 API calls 6282 391e93 6280->6282 6281->6275 6735 39199c inet_addr LoadLibraryA 6282->6735 6285 39e819 11 API calls 6286 391eb9 6285->6286 6287 391ed8 6286->6287 6289 39f04e 4 API calls 6286->6289 6288 39e819 11 API calls 6287->6288 6290 391eee 6288->6290 6291 391ec9 6289->6291 6292 391f0a 6290->6292 6749 391b71 6290->6749 6293 39ea84 30 API calls 6291->6293 6295 39e819 11 API calls 6292->6295 6293->6287 6297 391f23 6295->6297 6296 391efd 6298 39ea84 30 API calls 6296->6298 6299 391f3f 6297->6299 6753 391bdf 6297->6753 6298->6292 6300 39e819 11 API calls 6299->6300 6302 391f5e 6300->6302 6304 391f77 6302->6304 6306 39ea84 30 API calls 6302->6306 6761 3930b5 6304->6761 6305 39ea84 30 API calls 6305->6299 6306->6304 6310 396ec3 2 API calls 6311 391f8e GetTickCount 6310->6311 6311->6142 6313 396ec3 2 API calls 6312->6313 6314 3980eb 6313->6314 6315 3980f9 6314->6315 6316 3980ef 6314->6316 6832 39704c 6315->6832 6819 397ee6 6316->6819 6319 398110 6320 3980f4 6319->6320 6322 398156 RegOpenKeyExA 6319->6322 6321 39675c 21 API calls 6320->6321 6332 398269 CreateThread 6320->6332 6327 398244 6321->6327 6323 39816d RegQueryValueExA 6322->6323 6324 398216 6322->6324 6325 39818d 6323->6325 6326 3981f7 6323->6326 6324->6320 6325->6326 6331 39ebcc 4 API calls 6325->6331 6328 39820d RegCloseKey 6326->6328 6330 39ec2e codecvt 4 API calls 6326->6330 6329 39ec2e codecvt 4 API calls 6327->6329 6327->6332 6328->6324 6329->6332 6337 3981dd 6330->6337 6333 3981a0 6331->6333 6338 395e6c 6332->6338 7294 39877e 6332->7294 6333->6328 6334 3981aa RegQueryValueExA 6333->6334 6334->6326 6335 3981c4 6334->6335 6336 39ebcc 4 API calls 6335->6336 6336->6337 6337->6328 6934 39ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6338->6934 6340 395e71 6935 39e654 6340->6935 6342 395ec1 6343 393132 6342->6343 6344 39df70 12 API calls 6343->6344 6345 39313b 6344->6345 6346 39c125 6345->6346 6946 39ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6346->6946 6348 39c12d 6349 39e654 13 API calls 6348->6349 6350 39c2bd 6349->6350 6351 39e654 13 API calls 6350->6351 6352 39c2c9 6351->6352 6353 39e654 13 API calls 6352->6353 6354 39a47a 6353->6354 6355 398db1 6354->6355 6356 398dbc 6355->6356 6357 39e654 13 API calls 6356->6357 6358 398dec Sleep 6357->6358 6358->6177 6360 39c92f 6359->6360 6361 39c93c 6360->6361 6958 39c517 6360->6958 6363 39ca2b 6361->6363 6364 39e819 11 API calls 6361->6364 6363->6177 6365 39c96a 6364->6365 6366 39e819 11 API calls 6365->6366 6367 39c97d 6366->6367 6368 39e819 11 API calls 6367->6368 6369 39c990 6368->6369 6370 39c9aa 6369->6370 6371 39ebcc 4 API calls 6369->6371 6370->6363 6947 392684 6370->6947 6371->6370 6376 39ca26 6975 39c8aa 6376->6975 6379 39ca44 6380 39ca4b closesocket 6379->6380 6381 39ca83 6379->6381 6380->6376 6382 39ea84 30 API calls 6381->6382 6383 39caac 6382->6383 6384 39f04e 4 API calls 6383->6384 6385 39cab2 6384->6385 6386 39ea84 30 API calls 6385->6386 6387 39caca 6386->6387 6388 39ea84 30 API calls 6387->6388 6389 39cad9 6388->6389 6979 39c65c 6389->6979 6392 39cb60 closesocket 6392->6363 6394 39dad2 closesocket 6395 39e318 23 API calls 6394->6395 6396 39dae0 6395->6396 6396->6363 6397 39df4c 20 API calls 6424 39cb70 6397->6424 6402 39e654 13 API calls 6402->6424 6405 39c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6405->6424 6406 39f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6406->6424 6410 39ea84 30 API calls 6410->6424 6411 39d815 wsprintfA 6411->6424 6412 39cc1c GetTempPathA 6412->6424 6413 39d569 closesocket Sleep 7026 39e318 6413->7026 6414 397ead 6 API calls 6414->6424 6415 39c517 23 API calls 6415->6424 6417 39e8a1 30 API calls 6417->6424 6418 39d582 ExitProcess 6419 39cfe3 GetSystemDirectoryA 6419->6424 6420 39675c 21 API calls 6420->6424 6421 39d027 GetSystemDirectoryA 6421->6424 6422 39cfad GetEnvironmentVariableA 6422->6424 6423 39d105 lstrcatA 6423->6424 6424->6394 6424->6397 6424->6402 6424->6405 6424->6406 6424->6410 6424->6411 6424->6412 6424->6413 6424->6414 6424->6415 6424->6417 6424->6419 6424->6420 6424->6421 6424->6422 6424->6423 6425 39ef1e lstrlenA 6424->6425 6426 39ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6424->6426 6427 39cc9f CreateFileA 6424->6427 6428 39d15b CreateFileA 6424->6428 6433 39d149 SetFileAttributesA 6424->6433 6435 39d36e GetEnvironmentVariableA 6424->6435 6436 39d1bf SetFileAttributesA 6424->6436 6437 398e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6424->6437 6439 39d22d GetEnvironmentVariableA 6424->6439 6441 39d3af lstrcatA 6424->6441 6443 397fcf 64 API calls 6424->6443 6444 39d3f2 CreateFileA 6424->6444 6450 39d26e lstrcatA 6424->6450 6452 39d4b1 CreateProcessA 6424->6452 6453 39d3e0 SetFileAttributesA 6424->6453 6454 39d2b1 CreateFileA 6424->6454 6456 39d452 SetFileAttributesA 6424->6456 6458 397ee6 64 API calls 6424->6458 6459 39d29f SetFileAttributesA 6424->6459 6462 39d31d SetFileAttributesA 6424->6462 6987 39c75d 6424->6987 6999 397e2f 6424->6999 7021 397ead 6424->7021 7031 3931d0 6424->7031 7048 393c09 6424->7048 7058 393a00 6424->7058 7062 39e7b4 6424->7062 7065 39c06c 6424->7065 7071 396f5f GetUserNameA 6424->7071 7082 39e854 6424->7082 7092 397dd6 6424->7092 6425->6424 6426->6424 6427->6424 6429 39ccc6 WriteFile 6427->6429 6428->6424 6430 39d182 WriteFile CloseHandle 6428->6430 6431 39cced CloseHandle 6429->6431 6432 39cdcc CloseHandle 6429->6432 6430->6424 6438 39cd2f 6431->6438 6432->6424 6433->6428 6434 39cd16 wsprintfA 6434->6438 6435->6424 6436->6424 6437->6424 6438->6434 7008 397fcf 6438->7008 6439->6424 6441->6424 6441->6444 6443->6424 6444->6424 6447 39d415 WriteFile CloseHandle 6444->6447 6445 39cda5 6449 397ee6 64 API calls 6445->6449 6446 39cd81 WaitForSingleObject CloseHandle CloseHandle 6448 39f04e 4 API calls 6446->6448 6447->6424 6448->6445 6451 39cdbd DeleteFileA 6449->6451 6450->6424 6450->6454 6451->6424 6452->6424 6455 39d4e8 CloseHandle CloseHandle 6452->6455 6453->6444 6454->6424 6457 39d2d8 WriteFile CloseHandle 6454->6457 6455->6424 6456->6424 6457->6424 6458->6424 6459->6454 6462->6424 6464 39677a SetFileAttributesA 6463->6464 6465 396784 CreateFileA 6463->6465 6464->6465 6466 3967b5 6465->6466 6467 3967a4 CreateFileA 6465->6467 6468 3967ba SetFileAttributesA 6466->6468 6469 3967c5 6466->6469 6467->6466 6468->6469 6470 3967cf GetFileSize 6469->6470 6471 396977 6469->6471 6472 3967e5 6470->6472 6490 396965 6470->6490 6471->6159 6491 396a60 CreateFileA 6471->6491 6474 3967ed ReadFile 6472->6474 6472->6490 6473 39696e CloseHandle 6473->6471 6475 396811 SetFilePointer 6474->6475 6474->6490 6476 39682a ReadFile 6475->6476 6475->6490 6477 396848 SetFilePointer 6476->6477 6476->6490 6478 396867 6477->6478 6477->6490 6479 396878 ReadFile 6478->6479 6481 3968d5 6478->6481 6480 3968d0 6479->6480 6484 396891 6479->6484 6480->6481 6481->6473 6482 39ebcc 4 API calls 6481->6482 6483 3968f8 6482->6483 6485 396900 SetFilePointer 6483->6485 6483->6490 6484->6479 6484->6480 6486 39695a 6485->6486 6487 39690d ReadFile 6485->6487 6489 39ec2e codecvt 4 API calls 6486->6489 6487->6486 6488 396922 6487->6488 6488->6473 6489->6490 6490->6473 6492 396b8c GetLastError 6491->6492 6493 396a8f GetDiskFreeSpaceA 6491->6493 6502 396b86 6492->6502 6494 396ac5 6493->6494 6503 396ad7 6493->6503 7177 39eb0e 6494->7177 6498 396b56 CloseHandle 6501 396b65 GetLastError CloseHandle 6498->6501 6498->6502 6499 396b36 GetLastError CloseHandle 6500 396b7f DeleteFileA 6499->6500 6500->6502 6501->6500 6502->6174 7181 396987 6503->7181 6505 3996b9 6504->6505 6506 3973ff 17 API calls 6505->6506 6507 3996e2 6506->6507 6508 3996f7 6507->6508 6509 39704c 16 API calls 6507->6509 6508->6152 6508->6153 6509->6508 6511 39429d 6510->6511 6512 3942a5 6510->6512 6511->6156 6511->6171 7187 393ecd 6512->7187 6514 3942b0 7191 394000 6514->7191 6516 3943c1 CloseHandle 6516->6511 6517 3942b6 6517->6511 6517->6516 7197 393f18 WriteFile 6517->7197 6522 3943ba CloseHandle 6522->6516 6523 394318 6524 393f18 4 API calls 6523->6524 6525 394331 6524->6525 6526 393f18 4 API calls 6525->6526 6527 39434a 6526->6527 6528 39ebcc 4 API calls 6527->6528 6529 394350 6528->6529 6530 393f18 4 API calls 6529->6530 6531 394389 6530->6531 6532 39ec2e codecvt 4 API calls 6531->6532 6533 39438f 6532->6533 6534 393f8c 4 API calls 6533->6534 6535 39439f CloseHandle CloseHandle 6534->6535 6535->6511 6537 3999eb 6536->6537 6538 399a2f lstrcatA 6537->6538 6539 39ee2a 6538->6539 6540 399a4b lstrcatA 6539->6540 6541 396a60 13 API calls 6540->6541 6542 399a60 6541->6542 6542->6180 6542->6212 6543 396dc2 6542->6543 6544 396e33 6543->6544 6545 396dd7 6543->6545 6544->6196 6546 396cc9 5 API calls 6545->6546 6547 396ddc 6546->6547 6547->6547 6548 396e02 GetVolumeInformationA 6547->6548 6549 396e24 6547->6549 6548->6549 6549->6544 6551 396cdc GetModuleHandleA GetProcAddress 6550->6551 6558 396d8b 6550->6558 6552 396cfd 6551->6552 6553 396d12 GetSystemDirectoryA 6551->6553 6552->6553 6552->6558 6554 396d1e 6553->6554 6555 396d27 GetWindowsDirectoryA 6553->6555 6554->6555 6554->6558 6556 396d42 6555->6556 6557 39ef1e lstrlenA 6556->6557 6557->6558 6558->6206 7205 391910 6559->7205 6562 39934a GetModuleHandleA GetModuleFileNameA 6564 39937f 6562->6564 6565 3993d9 6564->6565 6566 3993a4 6564->6566 6568 399401 wsprintfA 6565->6568 6567 3993c3 wsprintfA 6566->6567 6569 399415 6567->6569 6568->6569 6570 3994a0 6569->6570 6573 396cc9 5 API calls 6569->6573 6571 396edd 5 API calls 6570->6571 6572 3994ac 6571->6572 6574 39962f 6572->6574 6575 3994e8 RegOpenKeyExA 6572->6575 6578 399439 6573->6578 6580 399646 6574->6580 7220 391820 6574->7220 6576 3994fb 6575->6576 6577 399502 6575->6577 6576->6574 6584 39958a 6576->6584 6582 39951f RegQueryValueExA 6577->6582 6583 39ef1e lstrlenA 6578->6583 6590 3995d6 6580->6590 7226 3991eb 6580->7226 6585 399539 6582->6585 6586 399530 6582->6586 6587 399462 6583->6587 6584->6580 6588 399593 6584->6588 6591 399556 RegQueryValueExA 6585->6591 6589 39956e RegCloseKey 6586->6589 6592 39947e wsprintfA 6587->6592 6588->6590 7207 39f0e4 6588->7207 6589->6576 6590->6216 6590->6217 6591->6586 6591->6589 6592->6570 6594 3995bb 6594->6590 7214 3918e0 6594->7214 6597 392544 6596->6597 6598 39972d RegOpenKeyExA 6597->6598 6599 399740 6598->6599 6600 399765 6598->6600 6601 39974f RegDeleteValueA RegCloseKey 6599->6601 6600->6191 6601->6600 6603 392554 lstrcatA 6602->6603 6604 39ee2a 6603->6604 6605 39a0ec lstrcatA 6604->6605 6605->6224 6607 39a15d 6606->6607 6608 39ec37 6606->6608 6607->6156 6607->6159 6609 39eba0 codecvt 2 API calls 6608->6609 6610 39ec3d GetProcessHeap RtlFreeHeap 6609->6610 6610->6607 6612 392544 6611->6612 6613 39919e wsprintfA 6612->6613 6614 3991bb 6613->6614 7265 399064 GetTempPathA 6614->7265 6617 3991d5 ShellExecuteA 6618 3991e7 6617->6618 6618->6174 6620 396ecc 6619->6620 6622 396ed5 6619->6622 6621 396e36 2 API calls 6620->6621 6621->6622 6622->6210 6624 3998f6 6623->6624 6625 394280 30 API calls 6624->6625 6626 399904 Sleep 6624->6626 6627 399915 6624->6627 6625->6624 6626->6624 6626->6627 6629 399947 6627->6629 7272 39977c 6627->7272 6629->6207 6631 39dd41 InterlockedExchange 6630->6631 6632 39dd4a 6631->6632 6633 39dd20 GetCurrentThreadId 6631->6633 6635 39dd53 GetCurrentThreadId 6632->6635 6634 39dd2e GetTickCount 6633->6634 6633->6635 6636 39dd39 Sleep 6634->6636 6637 39dd4c 6634->6637 6635->6243 6636->6631 6637->6635 6639 39dbf0 6638->6639 6671 39db67 GetEnvironmentVariableA 6639->6671 6641 39dc19 6642 39dcda 6641->6642 6643 39db67 3 API calls 6641->6643 6642->6245 6644 39dc5c 6643->6644 6644->6642 6645 39db67 3 API calls 6644->6645 6646 39dc9b 6645->6646 6646->6642 6647 39db67 3 API calls 6646->6647 6647->6642 6649 39e528 6648->6649 6650 39e3f4 6648->6650 6649->6257 6651 39e434 RegQueryValueExA 6650->6651 6652 39e458 6651->6652 6653 39e51d RegCloseKey 6651->6653 6654 39e46e RegQueryValueExA 6652->6654 6653->6649 6654->6652 6655 39e488 6654->6655 6655->6653 6656 39db2e 8 API calls 6655->6656 6657 39e499 6656->6657 6657->6653 6658 39e4b9 RegQueryValueExA 6657->6658 6659 39e4e8 6657->6659 6658->6657 6658->6659 6659->6653 6660 39e332 14 API calls 6659->6660 6661 39e513 6660->6661 6661->6653 6663 39db3a 6662->6663 6665 39db55 6662->6665 6675 39ebed 6663->6675 6665->6247 6665->6252 6693 39f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6666->6693 6668 39e3be 6668->6247 6669 39e342 6669->6668 6696 39de24 6669->6696 6672 39db89 lstrcpyA CreateFileA 6671->6672 6673 39dbca 6671->6673 6672->6641 6673->6641 6676 39ec01 6675->6676 6677 39ebf6 6675->6677 6687 39eba0 6676->6687 6684 39ebcc GetProcessHeap RtlAllocateHeap 6677->6684 6685 39eb74 2 API calls 6684->6685 6686 39ebe8 6685->6686 6686->6665 6688 39ebbf GetProcessHeap RtlReAllocateHeap 6687->6688 6689 39eba7 GetProcessHeap HeapSize 6687->6689 6690 39eb74 6688->6690 6689->6688 6691 39eb7b GetProcessHeap HeapSize 6690->6691 6692 39eb93 6690->6692 6691->6692 6692->6665 6707 39eb41 6693->6707 6695 39f0b7 6695->6669 6697 39de3a 6696->6697 6700 39de4e 6697->6700 6716 39dd84 6697->6716 6700->6669 6701 39de9e 6701->6700 6702 39ebed 8 API calls 6701->6702 6705 39def6 6702->6705 6703 39de76 6720 39ddcf 6703->6720 6705->6700 6706 39ddcf lstrcmpA 6705->6706 6706->6700 6708 39eb4a 6707->6708 6709 39eb61 6707->6709 6712 39eae4 6708->6712 6709->6695 6711 39eb54 6711->6695 6711->6709 6713 39eaed LoadLibraryA 6712->6713 6714 39eb02 GetProcAddress 6712->6714 6713->6714 6715 39eb01 6713->6715 6714->6711 6715->6711 6717 39ddc5 6716->6717 6718 39dd96 6716->6718 6717->6701 6717->6703 6718->6717 6719 39ddad lstrcmpiA 6718->6719 6719->6717 6719->6718 6721 39de20 6720->6721 6722 39dddd 6720->6722 6721->6700 6722->6721 6723 39ddfa lstrcmpA 6722->6723 6723->6722 6725 39dd05 6 API calls 6724->6725 6726 39e821 6725->6726 6727 39dd84 lstrcmpiA 6726->6727 6728 39e82c 6727->6728 6730 39e844 6728->6730 6774 392480 6728->6774 6730->6272 6732 39ea98 6731->6732 6783 39e8a1 6732->6783 6734 391e84 6734->6280 6736 3919d5 GetProcAddress GetProcAddress GetProcAddress 6735->6736 6739 3919ce 6735->6739 6737 391ab3 FreeLibrary 6736->6737 6738 391a04 6736->6738 6737->6739 6738->6737 6740 391a14 GetBestInterface GetProcessHeap 6738->6740 6739->6285 6740->6739 6741 391a2e HeapAlloc 6740->6741 6741->6739 6742 391a42 GetAdaptersInfo 6741->6742 6743 391a62 6742->6743 6744 391a52 HeapReAlloc 6742->6744 6745 391a69 GetAdaptersInfo 6743->6745 6746 391aa1 FreeLibrary 6743->6746 6744->6743 6745->6746 6747 391a75 HeapFree 6745->6747 6746->6739 6747->6746 6811 391ac3 LoadLibraryA 6749->6811 6752 391bcf 6752->6296 6754 391ac3 13 API calls 6753->6754 6755 391c09 6754->6755 6756 391c5a 6755->6756 6757 391c0d GetComputerNameA 6755->6757 6756->6305 6758 391c1f 6757->6758 6759 391c45 GetVolumeInformationA 6757->6759 6758->6759 6760 391c41 6758->6760 6759->6756 6760->6756 6762 39ee2a 6761->6762 6763 3930d0 gethostname gethostbyname 6762->6763 6764 391f82 6763->6764 6764->6310 6764->6311 6766 39dd05 6 API calls 6765->6766 6767 39df7c 6766->6767 6768 39dd84 lstrcmpiA 6767->6768 6772 39df89 6768->6772 6769 39dfc4 6769->6279 6770 39ddcf lstrcmpA 6770->6772 6771 39ec2e codecvt 4 API calls 6771->6772 6772->6769 6772->6770 6772->6771 6773 39dd84 lstrcmpiA 6772->6773 6773->6772 6777 392419 lstrlenA 6774->6777 6776 392491 6776->6730 6778 39243d lstrlenA 6777->6778 6779 392474 6777->6779 6780 39244e lstrcmpiA 6778->6780 6781 392464 lstrlenA 6778->6781 6779->6776 6780->6781 6782 39245c 6780->6782 6781->6778 6781->6779 6782->6779 6782->6781 6784 39dd05 6 API calls 6783->6784 6785 39e8b4 6784->6785 6786 39dd84 lstrcmpiA 6785->6786 6787 39e8c0 6786->6787 6788 39e8c8 lstrcpynA 6787->6788 6789 39e90a 6787->6789 6791 39e8f5 6788->6791 6790 392419 4 API calls 6789->6790 6799 39ea27 6789->6799 6792 39e926 lstrlenA lstrlenA 6790->6792 6804 39df4c 6791->6804 6793 39e96a 6792->6793 6794 39e94c lstrlenA 6792->6794 6798 39ebcc 4 API calls 6793->6798 6793->6799 6794->6793 6796 39e901 6797 39dd84 lstrcmpiA 6796->6797 6797->6789 6800 39e98f 6798->6800 6799->6734 6800->6799 6801 39df4c 20 API calls 6800->6801 6802 39ea1e 6801->6802 6803 39ec2e codecvt 4 API calls 6802->6803 6803->6799 6805 39dd05 6 API calls 6804->6805 6806 39df51 6805->6806 6807 39f04e 4 API calls 6806->6807 6808 39df58 6807->6808 6809 39de24 10 API calls 6808->6809 6810 39df63 6809->6810 6810->6796 6812 391ae2 GetProcAddress 6811->6812 6818 391b68 GetComputerNameA GetVolumeInformationA 6811->6818 6815 391af5 6812->6815 6812->6818 6813 391b1c GetAdaptersAddresses 6813->6815 6816 391b29 6813->6816 6814 39ebed 8 API calls 6814->6815 6815->6813 6815->6814 6815->6816 6816->6816 6817 39ec2e codecvt 4 API calls 6816->6817 6816->6818 6817->6818 6818->6752 6820 396ec3 2 API calls 6819->6820 6821 397ef4 6820->6821 6831 397fc9 6821->6831 6855 3973ff 6821->6855 6823 397f16 6823->6831 6875 397809 GetUserNameA 6823->6875 6825 397f63 6825->6831 6899 39ef1e lstrlenA 6825->6899 6828 39ef1e lstrlenA 6829 397fb7 6828->6829 6901 397a95 RegOpenKeyExA 6829->6901 6831->6320 6833 397073 6832->6833 6834 3970b9 RegOpenKeyExA 6833->6834 6835 3970d0 6834->6835 6849 3971b8 6834->6849 6836 396dc2 6 API calls 6835->6836 6839 3970d5 6836->6839 6837 39719b RegEnumValueA 6838 3971af RegCloseKey 6837->6838 6837->6839 6838->6849 6839->6837 6841 3971d0 6839->6841 6932 39f1a5 lstrlenA 6839->6932 6842 397205 RegCloseKey 6841->6842 6843 397227 6841->6843 6842->6849 6844 3972b8 ___ascii_stricmp 6843->6844 6845 39728e RegCloseKey 6843->6845 6846 3972cd RegCloseKey 6844->6846 6847 3972dd 6844->6847 6845->6849 6846->6849 6848 397311 RegCloseKey 6847->6848 6850 397335 6847->6850 6848->6849 6849->6319 6851 3973d5 RegCloseKey 6850->6851 6853 39737e GetFileAttributesExA 6850->6853 6854 397397 6850->6854 6852 3973e4 6851->6852 6853->6854 6854->6851 6856 39741b 6855->6856 6857 396dc2 6 API calls 6856->6857 6858 39743f 6857->6858 6859 397469 RegOpenKeyExA 6858->6859 6860 3977f9 6859->6860 6870 397487 ___ascii_stricmp 6859->6870 6860->6823 6861 397703 RegEnumKeyA 6862 397714 RegCloseKey 6861->6862 6861->6870 6862->6860 6863 3974d2 RegOpenKeyExA 6863->6870 6864 39772c 6866 39774b 6864->6866 6867 397742 RegCloseKey 6864->6867 6865 397521 RegQueryValueExA 6865->6870 6868 3977ec RegCloseKey 6866->6868 6867->6866 6868->6860 6869 3976e4 RegCloseKey 6869->6870 6870->6861 6870->6863 6870->6864 6870->6865 6870->6869 6872 39f1a5 lstrlenA 6870->6872 6873 39777e GetFileAttributesExA 6870->6873 6874 397769 6870->6874 6871 3977e3 RegCloseKey 6871->6868 6872->6870 6873->6874 6874->6871 6876 39783d LookupAccountNameA 6875->6876 6877 397a8d 6875->6877 6876->6877 6878 397874 GetLengthSid GetFileSecurityA 6876->6878 6877->6825 6878->6877 6879 3978a8 GetSecurityDescriptorOwner 6878->6879 6880 39791d GetSecurityDescriptorDacl 6879->6880 6881 3978c5 EqualSid 6879->6881 6880->6877 6887 397941 6880->6887 6881->6880 6882 3978dc LocalAlloc 6881->6882 6882->6880 6883 3978ef InitializeSecurityDescriptor 6882->6883 6885 3978fb SetSecurityDescriptorOwner 6883->6885 6886 397916 LocalFree 6883->6886 6884 39795b GetAce 6884->6887 6885->6886 6888 39790b SetFileSecurityA 6885->6888 6886->6880 6887->6877 6887->6884 6889 397980 EqualSid 6887->6889 6890 397a3d 6887->6890 6891 3979be EqualSid 6887->6891 6892 39799d DeleteAce 6887->6892 6888->6886 6889->6887 6890->6877 6893 397a43 LocalAlloc 6890->6893 6891->6887 6892->6887 6893->6877 6894 397a56 InitializeSecurityDescriptor 6893->6894 6895 397a62 SetSecurityDescriptorDacl 6894->6895 6896 397a86 LocalFree 6894->6896 6895->6896 6897 397a73 SetFileSecurityA 6895->6897 6896->6877 6897->6896 6898 397a83 6897->6898 6898->6896 6900 397fa6 6899->6900 6900->6828 6902 397acb GetUserNameA 6901->6902 6903 397ac4 6901->6903 6904 397aed LookupAccountNameA 6902->6904 6905 397da7 RegCloseKey 6902->6905 6903->6831 6904->6905 6906 397b24 RegGetKeySecurity 6904->6906 6905->6903 6906->6905 6907 397b49 GetSecurityDescriptorOwner 6906->6907 6908 397bb8 GetSecurityDescriptorDacl 6907->6908 6909 397b63 EqualSid 6907->6909 6910 397da6 6908->6910 6924 397bdc 6908->6924 6909->6908 6911 397b74 LocalAlloc 6909->6911 6910->6905 6911->6908 6912 397b8a InitializeSecurityDescriptor 6911->6912 6914 397bb1 LocalFree 6912->6914 6915 397b96 SetSecurityDescriptorOwner 6912->6915 6913 397bf8 GetAce 6913->6924 6914->6908 6915->6914 6916 397ba6 RegSetKeySecurity 6915->6916 6916->6914 6917 397c1d EqualSid 6917->6924 6918 397cd9 6918->6910 6921 397d5a LocalAlloc 6918->6921 6922 397cf2 RegOpenKeyExA 6918->6922 6919 397c5f EqualSid 6919->6924 6920 397c3a DeleteAce 6920->6924 6921->6910 6923 397d70 InitializeSecurityDescriptor 6921->6923 6922->6921 6929 397d0f 6922->6929 6925 397d7c SetSecurityDescriptorDacl 6923->6925 6926 397d9f LocalFree 6923->6926 6924->6910 6924->6913 6924->6917 6924->6918 6924->6919 6924->6920 6925->6926 6927 397d8c RegSetKeySecurity 6925->6927 6926->6910 6927->6926 6928 397d9c 6927->6928 6928->6926 6930 397d43 RegSetValueExA 6929->6930 6930->6921 6931 397d54 6930->6931 6931->6921 6933 39f1c3 6932->6933 6933->6839 6934->6340 6936 39dd05 6 API calls 6935->6936 6939 39e65f 6936->6939 6937 39e6a5 6938 39ebcc 4 API calls 6937->6938 6943 39e6f5 6937->6943 6941 39e6b0 6938->6941 6939->6937 6940 39e68c lstrcmpA 6939->6940 6940->6939 6941->6943 6944 39e6b7 6941->6944 6945 39e6e0 lstrcpynA 6941->6945 6942 39e71d lstrcmpA 6942->6943 6943->6942 6943->6944 6944->6342 6945->6943 6946->6348 6948 39268e 6947->6948 6949 392692 inet_addr 6947->6949 6951 39f428 6948->6951 6949->6948 6950 39269e gethostbyname 6949->6950 6950->6948 7099 39f315 6951->7099 6954 39f43e 6955 39f473 recv 6954->6955 6956 39f458 6955->6956 6957 39f47c 6955->6957 6956->6955 6956->6957 6957->6379 6959 39c532 6958->6959 6960 39c525 6958->6960 6961 39c548 6959->6961 7112 39e7ff 6959->7112 6960->6959 6962 39ec2e codecvt 4 API calls 6960->6962 6964 39e7ff lstrcmpiA 6961->6964 6971 39c54f 6961->6971 6962->6959 6965 39c615 6964->6965 6966 39ebcc 4 API calls 6965->6966 6965->6971 6966->6971 6967 39c5d1 6969 39ebcc 4 API calls 6967->6969 6969->6971 6970 39e819 11 API calls 6972 39c5b7 6970->6972 6971->6361 6973 39f04e 4 API calls 6972->6973 6974 39c5bf 6973->6974 6974->6961 6974->6967 6977 39c8d2 6975->6977 6976 39c907 6976->6363 6977->6976 6978 39c517 23 API calls 6977->6978 6978->6976 6980 39c670 6979->6980 6981 39c67d 6979->6981 6982 39ebcc 4 API calls 6980->6982 6983 39ebcc 4 API calls 6981->6983 6984 39c699 6981->6984 6982->6981 6983->6984 6985 39c6f3 6984->6985 6986 39c73c send 6984->6986 6985->6392 6985->6424 6986->6985 6988 39c770 6987->6988 6989 39c77d 6987->6989 6990 39ebcc 4 API calls 6988->6990 6991 39c799 6989->6991 6992 39ebcc 4 API calls 6989->6992 6990->6989 6993 39c7b5 6991->6993 6994 39ebcc 4 API calls 6991->6994 6992->6991 6995 39f43e recv 6993->6995 6994->6993 6996 39c7cb 6995->6996 6997 39f43e recv 6996->6997 6998 39c7d3 6996->6998 6997->6998 6998->6424 7115 397db7 6999->7115 7002 39f04e 4 API calls 7005 397e4c 7002->7005 7003 397e96 7003->6424 7004 397e70 7004->7003 7006 39f04e 4 API calls 7004->7006 7005->7004 7007 39f04e 4 API calls 7005->7007 7006->7003 7007->7004 7009 396ec3 2 API calls 7008->7009 7010 397fdd 7009->7010 7011 3973ff 17 API calls 7010->7011 7020 3980c2 CreateProcessA 7010->7020 7012 397fff 7011->7012 7013 397809 21 API calls 7012->7013 7012->7020 7014 39804d 7013->7014 7015 39ef1e lstrlenA 7014->7015 7014->7020 7016 39809e 7015->7016 7017 39ef1e lstrlenA 7016->7017 7018 3980af 7017->7018 7019 397a95 24 API calls 7018->7019 7019->7020 7020->6445 7020->6446 7022 397db7 2 API calls 7021->7022 7023 397eb8 7022->7023 7024 39f04e 4 API calls 7023->7024 7025 397ece DeleteFileA 7024->7025 7025->6424 7027 39dd05 6 API calls 7026->7027 7028 39e31d 7027->7028 7119 39e177 7028->7119 7030 39e326 7030->6418 7032 3931f3 7031->7032 7034 3931ec 7031->7034 7033 39ebcc 4 API calls 7032->7033 7047 3931fc 7033->7047 7034->6424 7035 393459 7038 39f04e 4 API calls 7035->7038 7036 39349d 7037 39ec2e codecvt 4 API calls 7036->7037 7037->7034 7039 39345f 7038->7039 7041 3930fa 4 API calls 7039->7041 7040 39ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7040->7047 7041->7034 7042 39344d 7043 39ec2e codecvt 4 API calls 7042->7043 7044 39344b 7043->7044 7044->7035 7044->7036 7046 393141 lstrcmpiA 7046->7047 7047->7034 7047->7040 7047->7042 7047->7044 7047->7046 7145 3930fa GetTickCount 7047->7145 7049 3930fa 4 API calls 7048->7049 7050 393c1a 7049->7050 7051 393ce6 7050->7051 7150 393a72 7050->7150 7051->6424 7054 393a72 9 API calls 7056 393c5e 7054->7056 7055 393a72 9 API calls 7055->7056 7056->7051 7056->7055 7057 39ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7056->7057 7057->7056 7059 393a10 7058->7059 7060 3930fa 4 API calls 7059->7060 7061 393a1a 7060->7061 7061->6424 7063 39dd05 6 API calls 7062->7063 7064 39e7be 7063->7064 7064->6424 7066 39c07e wsprintfA 7065->7066 7070 39c105 7065->7070 7159 39bfce GetTickCount wsprintfA 7066->7159 7068 39c0ef 7160 39bfce GetTickCount wsprintfA 7068->7160 7070->6424 7072 396f88 LookupAccountNameA 7071->7072 7073 397047 7071->7073 7075 396fcb 7072->7075 7076 397025 7072->7076 7073->6424 7078 396fdb ConvertSidToStringSidA 7075->7078 7161 396edd 7076->7161 7078->7076 7080 396ff1 7078->7080 7080->7080 7081 397013 LocalFree 7080->7081 7081->7076 7083 39dd05 6 API calls 7082->7083 7084 39e85c 7083->7084 7085 39dd84 lstrcmpiA 7084->7085 7086 39e867 7085->7086 7087 39e885 lstrcpyA 7086->7087 7172 3924a5 7086->7172 7175 39dd69 7087->7175 7093 397db7 2 API calls 7092->7093 7094 397de1 7093->7094 7095 397e16 7094->7095 7096 39f04e 4 API calls 7094->7096 7095->6424 7097 397df2 7096->7097 7097->7095 7098 39f04e 4 API calls 7097->7098 7098->7095 7100 39f33b 7099->7100 7108 39ca1d 7099->7108 7101 39f347 htons socket 7100->7101 7102 39f382 ioctlsocket 7101->7102 7103 39f374 closesocket 7101->7103 7104 39f3aa connect select 7102->7104 7105 39f39d 7102->7105 7103->7108 7107 39f3f2 __WSAFDIsSet 7104->7107 7104->7108 7106 39f39f closesocket 7105->7106 7106->7108 7107->7106 7109 39f403 ioctlsocket 7107->7109 7108->6376 7108->6954 7111 39f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7109->7111 7111->7108 7113 39dd84 lstrcmpiA 7112->7113 7114 39c58e 7113->7114 7114->6961 7114->6967 7114->6970 7116 397dc8 InterlockedExchange 7115->7116 7117 397dc0 Sleep 7116->7117 7118 397dd4 7116->7118 7117->7116 7118->7002 7118->7004 7120 39e184 7119->7120 7121 39e2e4 7120->7121 7122 39e223 7120->7122 7135 39dfe2 7120->7135 7121->7030 7122->7121 7125 39dfe2 8 API calls 7122->7125 7124 39e1be 7124->7122 7126 39dbcf 3 API calls 7124->7126 7128 39e23c 7125->7128 7129 39e1d6 7126->7129 7127 39e21a CloseHandle 7127->7122 7128->7121 7139 39e095 RegCreateKeyExA 7128->7139 7129->7122 7129->7127 7130 39e1f9 WriteFile 7129->7130 7130->7127 7132 39e213 7130->7132 7132->7127 7133 39e2a3 7133->7121 7134 39e095 4 API calls 7133->7134 7134->7121 7136 39dffc 7135->7136 7138 39e024 7135->7138 7137 39db2e 8 API calls 7136->7137 7136->7138 7137->7138 7138->7124 7140 39e172 7139->7140 7142 39e0c0 7139->7142 7140->7133 7141 39e13d 7143 39e14e RegDeleteValueA RegCloseKey 7141->7143 7142->7141 7144 39e115 RegSetValueExA 7142->7144 7143->7140 7144->7141 7144->7142 7146 393122 InterlockedExchange 7145->7146 7147 39310f GetTickCount 7146->7147 7148 39312e 7146->7148 7147->7148 7149 39311a Sleep 7147->7149 7148->7047 7149->7146 7151 39f04e 4 API calls 7150->7151 7152 393a83 7151->7152 7153 393bc0 7152->7153 7155 393ac1 7152->7155 7158 393b66 lstrlenA 7152->7158 7154 393be6 7153->7154 7156 39ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7153->7156 7157 39ec2e codecvt 4 API calls 7154->7157 7155->7051 7155->7054 7156->7153 7157->7155 7158->7152 7158->7155 7159->7068 7160->7070 7162 396eef AllocateAndInitializeSid 7161->7162 7168 396f55 wsprintfA 7161->7168 7163 396f1c CheckTokenMembership 7162->7163 7164 396f44 7162->7164 7165 396f3b FreeSid 7163->7165 7166 396f2e 7163->7166 7164->7168 7169 396e36 GetUserNameW 7164->7169 7165->7164 7166->7165 7168->7073 7170 396e5f LookupAccountNameW 7169->7170 7171 396e97 7169->7171 7170->7171 7171->7168 7173 392419 4 API calls 7172->7173 7174 3924b6 7173->7174 7174->7087 7176 39dd79 lstrlenA 7175->7176 7176->6424 7178 39eb17 7177->7178 7180 39eb21 7177->7180 7179 39eae4 2 API calls 7178->7179 7179->7180 7180->6503 7182 3969b9 WriteFile 7181->7182 7184 396a3c 7182->7184 7186 3969ff 7182->7186 7184->6498 7184->6499 7185 396a10 WriteFile 7185->7184 7185->7186 7186->7184 7186->7185 7188 393edc 7187->7188 7189 393ee2 7187->7189 7190 396dc2 6 API calls 7188->7190 7189->6514 7190->7189 7192 39400b CreateFileA 7191->7192 7193 39402c GetLastError 7192->7193 7194 394052 7192->7194 7193->7194 7195 394037 7193->7195 7194->6517 7195->7194 7196 394041 Sleep 7195->7196 7196->7192 7196->7194 7198 393f7c 7197->7198 7199 393f4e GetLastError 7197->7199 7201 393f8c ReadFile 7198->7201 7199->7198 7200 393f5b WaitForSingleObject GetOverlappedResult 7199->7200 7200->7198 7202 393fc2 GetLastError 7201->7202 7203 393ff0 7201->7203 7202->7203 7204 393fcf WaitForSingleObject GetOverlappedResult 7202->7204 7203->6522 7203->6523 7204->7203 7206 391924 GetVersionExA 7205->7206 7206->6562 7208 39f0ed 7207->7208 7209 39f0f1 7207->7209 7208->6594 7210 39f119 7209->7210 7211 39f0fa lstrlenA SysAllocStringByteLen 7209->7211 7212 39f11c MultiByteToWideChar 7210->7212 7211->7212 7213 39f117 7211->7213 7212->7213 7213->6594 7215 391820 17 API calls 7214->7215 7216 3918f2 7215->7216 7217 3918f9 7216->7217 7231 391280 7216->7231 7217->6590 7219 391908 7219->6590 7244 391000 7220->7244 7222 391839 7223 39183d 7222->7223 7224 391851 GetCurrentProcess 7222->7224 7223->6580 7225 391864 7224->7225 7225->6580 7229 39920e 7226->7229 7230 399308 7226->7230 7227 3992f1 Sleep 7227->7229 7228 3992bf ShellExecuteA 7228->7229 7228->7230 7229->7227 7229->7228 7229->7230 7230->6590 7234 3912e1 ShellExecuteExW 7231->7234 7233 3916f9 GetLastError 7235 391699 7233->7235 7234->7233 7237 3913a8 7234->7237 7235->7219 7236 391570 lstrlenW 7236->7237 7237->7235 7237->7236 7237->7237 7238 3915be GetStartupInfoW 7237->7238 7239 3915ff CreateProcessWithLogonW 7237->7239 7243 391668 CloseHandle 7237->7243 7238->7237 7240 3916bf GetLastError 7239->7240 7241 39163f WaitForSingleObject 7239->7241 7240->7235 7241->7237 7242 391659 CloseHandle 7241->7242 7242->7237 7243->7237 7245 39100d LoadLibraryA 7244->7245 7253 391023 7244->7253 7246 391021 7245->7246 7245->7253 7246->7222 7247 3910b5 GetProcAddress 7248 39127b 7247->7248 7249 3910d1 GetProcAddress 7247->7249 7248->7222 7249->7248 7250 3910f0 GetProcAddress 7249->7250 7250->7248 7251 391110 GetProcAddress 7250->7251 7251->7248 7252 391130 GetProcAddress 7251->7252 7252->7248 7254 39114f GetProcAddress 7252->7254 7253->7247 7264 3910ae 7253->7264 7254->7248 7255 39116f GetProcAddress 7254->7255 7255->7248 7256 39118f GetProcAddress 7255->7256 7256->7248 7257 3911ae GetProcAddress 7256->7257 7257->7248 7258 3911ce GetProcAddress 7257->7258 7258->7248 7259 3911ee GetProcAddress 7258->7259 7259->7248 7260 391209 GetProcAddress 7259->7260 7260->7248 7261 391225 GetProcAddress 7260->7261 7261->7248 7262 391241 GetProcAddress 7261->7262 7262->7248 7263 39125c GetProcAddress 7262->7263 7263->7248 7264->7222 7266 39908d 7265->7266 7267 3990e2 wsprintfA 7266->7267 7268 39ee2a 7267->7268 7269 3990fd CreateFileA 7268->7269 7270 39911a lstrlenA WriteFile CloseHandle 7269->7270 7271 39913f 7269->7271 7270->7271 7271->6617 7271->6618 7273 39ee2a 7272->7273 7274 399794 CreateProcessA 7273->7274 7275 3997bb 7274->7275 7276 3997c2 7274->7276 7275->6629 7277 3997d4 GetThreadContext 7276->7277 7278 399801 7277->7278 7279 3997f5 7277->7279 7286 39637c 7278->7286 7280 3997f6 TerminateProcess 7279->7280 7280->7275 7282 399816 7282->7280 7283 39981e WriteProcessMemory 7282->7283 7283->7279 7284 39983b SetThreadContext 7283->7284 7284->7279 7285 399858 ResumeThread 7284->7285 7285->7275 7287 39638a GetModuleHandleA VirtualAlloc 7286->7287 7288 396386 7286->7288 7289 3963b6 7287->7289 7293 3963f5 7287->7293 7288->7282 7290 3963be VirtualAllocEx 7289->7290 7291 3963d6 7290->7291 7290->7293 7292 3963df WriteProcessMemory 7291->7292 7292->7293 7293->7282 7295 398791 7294->7295 7296 39879f 7294->7296 7297 39f04e 4 API calls 7295->7297 7298 3987bc 7296->7298 7300 39f04e 4 API calls 7296->7300 7297->7296 7299 39e819 11 API calls 7298->7299 7301 3987d7 7299->7301 7300->7298 7313 398803 7301->7313 7449 3926b2 gethostbyaddr 7301->7449 7304 3987eb 7306 39e8a1 30 API calls 7304->7306 7304->7313 7306->7313 7309 39e819 11 API calls 7309->7313 7310 3988a0 Sleep 7310->7313 7312 3926b2 2 API calls 7312->7313 7313->7309 7313->7310 7313->7312 7314 39f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7313->7314 7315 39e8a1 30 API calls 7313->7315 7346 398cee 7313->7346 7354 39c4d6 7313->7354 7357 39c4e2 7313->7357 7360 392011 7313->7360 7395 398328 7313->7395 7314->7313 7315->7313 7317 39407d 7316->7317 7318 394084 7316->7318 7319 393ecd 6 API calls 7318->7319 7320 39408f 7319->7320 7321 394000 3 API calls 7320->7321 7322 394095 7321->7322 7323 394130 7322->7323 7324 3940c0 7322->7324 7325 393ecd 6 API calls 7323->7325 7329 393f18 4 API calls 7324->7329 7326 394159 CreateNamedPipeA 7325->7326 7327 394188 ConnectNamedPipe 7326->7327 7328 394167 Sleep 7326->7328 7332 394195 GetLastError 7327->7332 7341 3941ab 7327->7341 7328->7323 7330 394176 CloseHandle 7328->7330 7331 3940da 7329->7331 7330->7327 7333 393f8c 4 API calls 7331->7333 7334 39425e DisconnectNamedPipe 7332->7334 7332->7341 7335 3940ec 7333->7335 7334->7327 7336 394127 CloseHandle 7335->7336 7337 394101 7335->7337 7336->7323 7338 393f18 4 API calls 7337->7338 7339 39411c ExitProcess 7338->7339 7340 393f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7340->7341 7341->7327 7341->7334 7341->7340 7342 393f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7341->7342 7343 39426a CloseHandle CloseHandle 7341->7343 7342->7341 7344 39e318 23 API calls 7343->7344 7345 39427b 7344->7345 7345->7345 7347 398dae 7346->7347 7348 398d02 GetTickCount 7346->7348 7347->7313 7348->7347 7350 398d19 7348->7350 7349 398da1 GetTickCount 7349->7347 7350->7349 7353 398d89 7350->7353 7454 39a677 7350->7454 7457 39a688 7350->7457 7353->7349 7465 39c2dc 7354->7465 7358 39c2dc 142 API calls 7357->7358 7359 39c4ec 7358->7359 7359->7313 7361 392020 7360->7361 7363 39202e 7360->7363 7362 39f04e 4 API calls 7361->7362 7362->7363 7364 39f04e 4 API calls 7363->7364 7365 39204b 7363->7365 7364->7365 7366 39206e GetTickCount 7365->7366 7367 39f04e 4 API calls 7365->7367 7368 3920db GetTickCount 7366->7368 7376 392090 7366->7376 7370 392068 7367->7370 7369 392132 GetTickCount GetTickCount 7368->7369 7381 3920e7 7368->7381 7372 39f04e 4 API calls 7369->7372 7370->7366 7371 3920d4 GetTickCount 7371->7368 7374 392159 7372->7374 7373 39212b GetTickCount 7373->7369 7377 3921b4 7374->7377 7380 39e854 13 API calls 7374->7380 7375 392684 2 API calls 7375->7376 7376->7371 7376->7375 7384 3920ce 7376->7384 7805 391978 7376->7805 7379 39f04e 4 API calls 7377->7379 7383 3921d1 7379->7383 7385 39218e 7380->7385 7381->7373 7386 392125 7381->7386 7389 391978 15 API calls 7381->7389 7795 392ef8 7381->7795 7387 3921f2 7383->7387 7390 39ea84 30 API calls 7383->7390 7384->7371 7388 39e819 11 API calls 7385->7388 7386->7373 7387->7313 7391 39219c 7388->7391 7389->7381 7392 3921ec 7390->7392 7391->7377 7810 391c5f 7391->7810 7393 39f04e 4 API calls 7392->7393 7393->7387 7396 397dd6 6 API calls 7395->7396 7397 39833c 7396->7397 7398 396ec3 2 API calls 7397->7398 7426 398340 7397->7426 7399 39834f 7398->7399 7400 39835c 7399->7400 7405 39846b 7399->7405 7401 3973ff 17 API calls 7400->7401 7427 398373 7401->7427 7402 3985df 7403 398626 GetTempPathA 7402->7403 7416 398768 7402->7416 7434 398671 7402->7434 7417 398638 7403->7417 7404 39675c 21 API calls 7404->7402 7407 3984a7 RegOpenKeyExA 7405->7407 7423 398450 7405->7423 7408 3984c0 RegQueryValueExA 7407->7408 7409 39852f 7407->7409 7411 3984dd 7408->7411 7412 398521 RegCloseKey 7408->7412 7414 398564 RegOpenKeyExA 7409->7414 7430 3985a5 7409->7430 7410 3986ad 7413 398762 7410->7413 7415 397e2f 6 API calls 7410->7415 7411->7412 7420 39ebcc 4 API calls 7411->7420 7412->7409 7413->7416 7418 398573 RegSetValueExA RegCloseKey 7414->7418 7414->7430 7419 3986bb 7415->7419 7422 39ec2e codecvt 4 API calls 7416->7422 7416->7426 7417->7434 7418->7430 7421 39875b DeleteFileA 7419->7421 7438 3986e0 lstrcpyA lstrlenA 7419->7438 7425 3984f0 7420->7425 7421->7413 7422->7426 7423->7402 7423->7404 7425->7412 7429 3984f8 RegQueryValueExA 7425->7429 7426->7313 7427->7423 7427->7426 7428 3983ea RegOpenKeyExA 7427->7428 7428->7423 7431 3983fd RegQueryValueExA 7428->7431 7429->7412 7432 398515 7429->7432 7430->7423 7433 39ec2e codecvt 4 API calls 7430->7433 7435 39842d RegSetValueExA 7431->7435 7436 39841e 7431->7436 7437 39ec2e codecvt 4 API calls 7432->7437 7433->7423 7882 396ba7 IsBadCodePtr 7434->7882 7439 398447 RegCloseKey 7435->7439 7436->7435 7436->7439 7440 39851d 7437->7440 7441 397fcf 64 API calls 7438->7441 7439->7423 7440->7412 7442 398719 CreateProcessA 7441->7442 7443 39873d CloseHandle CloseHandle 7442->7443 7444 39874f 7442->7444 7443->7416 7445 397ee6 64 API calls 7444->7445 7446 398754 7445->7446 7447 397ead 6 API calls 7446->7447 7448 39875a 7447->7448 7448->7421 7450 3926fb 7449->7450 7451 3926cd 7449->7451 7450->7304 7452 3926e1 inet_ntoa 7451->7452 7453 3926de 7451->7453 7452->7453 7453->7304 7460 39a63d 7454->7460 7456 39a685 7456->7350 7458 39a63d GetTickCount 7457->7458 7459 39a696 7458->7459 7459->7350 7461 39a64d 7460->7461 7462 39a645 7460->7462 7463 39a65e GetTickCount 7461->7463 7464 39a66e 7461->7464 7462->7456 7463->7464 7464->7456 7482 39a4c7 GetTickCount 7465->7482 7468 39c47a 7473 39c4ab InterlockedIncrement CreateThread 7468->7473 7474 39c4d2 7468->7474 7469 39c300 GetTickCount 7471 39c337 7469->7471 7470 39c326 7470->7471 7472 39c32b GetTickCount 7470->7472 7471->7468 7476 39c363 GetTickCount 7471->7476 7472->7471 7473->7474 7475 39c4cb CloseHandle 7473->7475 7487 39b535 7473->7487 7474->7313 7475->7474 7476->7468 7477 39c373 7476->7477 7478 39c378 GetTickCount 7477->7478 7479 39c37f 7477->7479 7478->7479 7480 39c43b GetTickCount 7479->7480 7481 39c45e 7480->7481 7481->7468 7483 39a4f7 InterlockedExchange 7482->7483 7484 39a500 7483->7484 7485 39a4e4 GetTickCount 7483->7485 7484->7468 7484->7469 7484->7470 7485->7484 7486 39a4ef Sleep 7485->7486 7486->7483 7488 39b566 7487->7488 7489 39ebcc 4 API calls 7488->7489 7490 39b587 7489->7490 7491 39ebcc 4 API calls 7490->7491 7534 39b590 7491->7534 7492 39bdcd InterlockedDecrement 7493 39bde2 7492->7493 7495 39ec2e codecvt 4 API calls 7493->7495 7496 39bdea 7495->7496 7498 39ec2e codecvt 4 API calls 7496->7498 7497 39bdb7 Sleep 7497->7534 7499 39bdf2 7498->7499 7501 39be05 7499->7501 7502 39ec2e codecvt 4 API calls 7499->7502 7500 39bdcc 7500->7492 7502->7501 7503 39ebed 8 API calls 7503->7534 7506 39b6b6 lstrlenA 7506->7534 7507 3930b5 2 API calls 7507->7534 7508 39e819 11 API calls 7508->7534 7509 39b6ed lstrcpyA 7562 395ce1 7509->7562 7512 39b71f lstrcmpA 7513 39b731 lstrlenA 7512->7513 7512->7534 7513->7534 7514 39b772 GetTickCount 7514->7534 7515 39bd49 InterlockedIncrement 7656 39a628 7515->7656 7518 39b7ce InterlockedIncrement 7572 39acd7 7518->7572 7519 3938f0 6 API calls 7519->7534 7520 39bc5b InterlockedIncrement 7520->7534 7523 39b912 GetTickCount 7523->7534 7524 39b826 InterlockedIncrement 7524->7514 7525 39bcdc closesocket 7525->7534 7526 39b932 GetTickCount 7528 39bc6d InterlockedIncrement 7526->7528 7526->7534 7527 395ce1 22 API calls 7527->7534 7528->7534 7531 39bba6 InterlockedIncrement 7531->7534 7533 39bc4c closesocket 7533->7534 7534->7492 7534->7497 7534->7500 7534->7503 7534->7506 7534->7507 7534->7508 7534->7509 7534->7512 7534->7513 7534->7514 7534->7515 7534->7518 7534->7519 7534->7520 7534->7523 7534->7524 7534->7525 7534->7526 7534->7527 7534->7531 7534->7533 7537 39ba71 wsprintfA 7534->7537 7539 39a7c1 22 API calls 7534->7539 7540 39ab81 lstrcpynA InterlockedIncrement 7534->7540 7541 39ef1e lstrlenA 7534->7541 7542 395ded 12 API calls 7534->7542 7543 39a688 GetTickCount 7534->7543 7544 393e10 7534->7544 7547 393e4f 7534->7547 7550 39384f 7534->7550 7570 39a7a3 inet_ntoa 7534->7570 7577 39abee 7534->7577 7589 391feb GetTickCount 7534->7589 7610 393cfb 7534->7610 7613 39b3c5 7534->7613 7644 39ab81 7534->7644 7590 39a7c1 7537->7590 7539->7534 7540->7534 7541->7534 7542->7534 7543->7534 7545 3930fa 4 API calls 7544->7545 7546 393e1d 7545->7546 7546->7534 7548 3930fa 4 API calls 7547->7548 7549 393e5c 7548->7549 7549->7534 7551 3930fa 4 API calls 7550->7551 7553 393863 7551->7553 7552 3938b2 7552->7534 7553->7552 7554 3938b9 7553->7554 7555 393889 7553->7555 7665 3935f9 7554->7665 7659 393718 7555->7659 7560 3935f9 6 API calls 7560->7552 7561 393718 6 API calls 7561->7552 7563 395cec 7562->7563 7564 395cf4 7562->7564 7671 394bd1 GetTickCount 7563->7671 7566 394bd1 4 API calls 7564->7566 7567 395d02 7566->7567 7676 395472 7567->7676 7571 39a7b9 7570->7571 7571->7534 7573 39f315 14 API calls 7572->7573 7574 39aceb 7573->7574 7575 39acff 7574->7575 7576 39f315 14 API calls 7574->7576 7575->7534 7576->7575 7578 39abfb 7577->7578 7581 39ac65 7578->7581 7739 392f22 7578->7739 7580 39f315 14 API calls 7580->7581 7581->7580 7582 39ac8a 7581->7582 7583 39ac6f 7581->7583 7582->7534 7585 39ab81 2 API calls 7583->7585 7584 39ac23 7584->7581 7587 392684 2 API calls 7584->7587 7586 39ac81 7585->7586 7747 3938f0 7586->7747 7587->7584 7589->7534 7591 39a87d lstrlenA send 7590->7591 7592 39a7df 7590->7592 7593 39a899 7591->7593 7594 39a8bf 7591->7594 7592->7591 7595 39a8f2 7592->7595 7599 39a7fa wsprintfA 7592->7599 7602 39a80a 7592->7602 7596 39a8a5 wsprintfA 7593->7596 7609 39a89e 7593->7609 7594->7595 7597 39a8c4 send 7594->7597 7598 39a978 recv 7595->7598 7601 39a9b0 wsprintfA 7595->7601 7603 39a982 7595->7603 7596->7609 7597->7595 7600 39a8d8 wsprintfA 7597->7600 7598->7595 7598->7603 7599->7602 7600->7609 7601->7609 7602->7591 7604 3930b5 2 API calls 7603->7604 7603->7609 7605 39ab05 7604->7605 7606 39e819 11 API calls 7605->7606 7607 39ab17 7606->7607 7608 39a7a3 inet_ntoa 7607->7608 7608->7609 7609->7534 7611 3930fa 4 API calls 7610->7611 7612 393d0b 7611->7612 7612->7534 7614 395ce1 22 API calls 7613->7614 7615 39b3e6 7614->7615 7616 395ce1 22 API calls 7615->7616 7617 39b404 7616->7617 7618 39b440 7617->7618 7620 39ef7c 3 API calls 7617->7620 7619 39ef7c 3 API calls 7618->7619 7621 39b458 wsprintfA 7619->7621 7622 39b42b 7620->7622 7623 39ef7c 3 API calls 7621->7623 7624 39ef7c 3 API calls 7622->7624 7625 39b480 7623->7625 7624->7618 7626 39ef7c 3 API calls 7625->7626 7627 39b493 7626->7627 7628 39ef7c 3 API calls 7627->7628 7629 39b4bb 7628->7629 7763 39ad89 GetLocalTime SystemTimeToFileTime 7629->7763 7633 39b4cc 7634 39ef7c 3 API calls 7633->7634 7635 39b4dd 7634->7635 7636 39b211 7 API calls 7635->7636 7637 39b4ec 7636->7637 7638 39ef7c 3 API calls 7637->7638 7639 39b4fd 7638->7639 7640 39b211 7 API calls 7639->7640 7641 39b509 7640->7641 7642 39ef7c 3 API calls 7641->7642 7643 39b51a 7642->7643 7643->7534 7645 39abe9 GetTickCount 7644->7645 7647 39ab8c 7644->7647 7649 39a51d 7645->7649 7646 39aba8 lstrcpynA 7646->7647 7647->7645 7647->7646 7648 39abe1 InterlockedIncrement 7647->7648 7648->7647 7650 39a4c7 4 API calls 7649->7650 7651 39a52c 7650->7651 7652 39a542 GetTickCount 7651->7652 7654 39a539 GetTickCount 7651->7654 7652->7654 7655 39a56c 7654->7655 7655->7534 7657 39a4c7 4 API calls 7656->7657 7658 39a633 7657->7658 7658->7534 7660 39f04e 4 API calls 7659->7660 7662 39372a 7660->7662 7661 393847 7661->7552 7661->7561 7662->7661 7663 3937b3 GetCurrentThreadId 7662->7663 7663->7662 7664 3937c8 GetCurrentThreadId 7663->7664 7664->7662 7666 39f04e 4 API calls 7665->7666 7667 39360c 7666->7667 7668 3936da GetCurrentThreadId 7667->7668 7669 3936f1 7667->7669 7668->7669 7670 3936e5 GetCurrentThreadId 7668->7670 7669->7552 7669->7560 7670->7669 7672 394bff InterlockedExchange 7671->7672 7673 394c08 7672->7673 7674 394bec GetTickCount 7672->7674 7673->7564 7674->7673 7675 394bf7 Sleep 7674->7675 7675->7672 7695 394763 7676->7695 7678 395b58 7705 394699 7678->7705 7681 394763 lstrlenA 7682 395b6e 7681->7682 7726 394f9f 7682->7726 7684 395b79 7684->7534 7686 395549 lstrlenA 7689 39548a 7686->7689 7688 39558d lstrcpynA 7688->7689 7689->7678 7689->7688 7690 395a9f lstrcpyA 7689->7690 7691 394ae6 8 API calls 7689->7691 7692 395935 lstrcpynA 7689->7692 7693 395472 13 API calls 7689->7693 7694 3958e7 lstrcpyA 7689->7694 7699 394ae6 7689->7699 7703 39ef7c lstrlenA lstrlenA lstrlenA 7689->7703 7690->7689 7691->7689 7692->7689 7693->7689 7694->7689 7696 39477a 7695->7696 7697 394859 7696->7697 7698 39480d lstrlenA 7696->7698 7697->7689 7698->7696 7700 394af3 7699->7700 7702 394b03 7699->7702 7701 39ebed 8 API calls 7700->7701 7701->7702 7702->7686 7704 39efb4 7703->7704 7704->7689 7731 3945b3 7705->7731 7708 3945b3 7 API calls 7709 3946c6 7708->7709 7710 3945b3 7 API calls 7709->7710 7711 3946d8 7710->7711 7712 3945b3 7 API calls 7711->7712 7713 3946ea 7712->7713 7714 3945b3 7 API calls 7713->7714 7715 3946ff 7714->7715 7716 3945b3 7 API calls 7715->7716 7717 394711 7716->7717 7718 3945b3 7 API calls 7717->7718 7719 394723 7718->7719 7720 39ef7c 3 API calls 7719->7720 7721 394735 7720->7721 7722 39ef7c 3 API calls 7721->7722 7723 39474a 7722->7723 7724 39ef7c 3 API calls 7723->7724 7725 39475c 7724->7725 7725->7681 7727 394fac 7726->7727 7730 394fb0 7726->7730 7727->7684 7728 394ffd 7728->7684 7729 394fd5 IsBadCodePtr 7729->7730 7730->7728 7730->7729 7732 3945c8 7731->7732 7733 3945c1 7731->7733 7735 39ebcc 4 API calls 7732->7735 7736 3945e1 7732->7736 7734 39ebcc 4 API calls 7733->7734 7734->7732 7735->7736 7737 394691 7736->7737 7738 39ef7c 3 API calls 7736->7738 7737->7708 7738->7736 7754 392d21 GetModuleHandleA 7739->7754 7742 392f4f 7744 392f6b GetProcessHeap HeapFree 7742->7744 7743 392fcf GetProcessHeap HeapFree 7746 392f44 7743->7746 7744->7746 7745 392f85 7745->7743 7746->7584 7748 393900 7747->7748 7752 393980 7747->7752 7749 3930fa 4 API calls 7748->7749 7753 39390a 7749->7753 7750 39391b GetCurrentThreadId 7750->7753 7751 393939 GetCurrentThreadId 7751->7753 7752->7582 7753->7750 7753->7751 7753->7752 7755 392d5b GetProcAddress 7754->7755 7756 392d46 LoadLibraryA 7754->7756 7757 392d6b DnsQuery_A 7755->7757 7760 392d54 7755->7760 7756->7755 7756->7760 7758 392d7d 7757->7758 7757->7760 7759 392d97 GetProcessHeap HeapAlloc 7758->7759 7758->7760 7759->7760 7762 392dac 7759->7762 7760->7742 7760->7745 7760->7746 7761 392db5 lstrcpynA 7761->7762 7762->7758 7762->7761 7764 39adbf 7763->7764 7788 39ad08 gethostname 7764->7788 7767 3930b5 2 API calls 7768 39add3 7767->7768 7769 39a7a3 inet_ntoa 7768->7769 7776 39ade4 7768->7776 7769->7776 7770 39ae85 wsprintfA 7771 39ef7c 3 API calls 7770->7771 7772 39aebb 7771->7772 7775 39ef7c 3 API calls 7772->7775 7773 39ae36 wsprintfA wsprintfA 7774 39ef7c 3 API calls 7773->7774 7774->7776 7777 39aed2 7775->7777 7776->7770 7776->7773 7778 39b211 7777->7778 7779 39b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7778->7779 7780 39b2af GetLocalTime 7778->7780 7781 39b2d2 7779->7781 7780->7781 7782 39b2d9 SystemTimeToFileTime 7781->7782 7783 39b31c GetTimeZoneInformation 7781->7783 7784 39b2ec 7782->7784 7786 39b33a wsprintfA 7783->7786 7785 39b312 FileTimeToSystemTime 7784->7785 7785->7783 7786->7633 7789 39ad71 7788->7789 7790 39ad26 lstrlenA 7788->7790 7792 39ad79 lstrcpyA 7789->7792 7793 39ad85 7789->7793 7790->7789 7794 39ad68 lstrlenA 7790->7794 7792->7793 7793->7767 7794->7789 7796 392d21 7 API calls 7795->7796 7797 392f01 7796->7797 7798 392f14 7797->7798 7799 392f06 7797->7799 7800 392684 2 API calls 7798->7800 7818 392df2 GetModuleHandleA 7799->7818 7803 392f1d 7800->7803 7803->7381 7804 392f1f 7804->7381 7806 39f428 14 API calls 7805->7806 7807 39198a 7806->7807 7808 391998 7807->7808 7809 391990 closesocket 7807->7809 7808->7376 7809->7808 7814 391c80 7810->7814 7811 391cc2 wsprintfA 7813 392684 2 API calls 7811->7813 7812 391d1c 7812->7812 7815 391d47 wsprintfA 7812->7815 7813->7814 7814->7811 7814->7812 7817 391d79 7814->7817 7816 392684 2 API calls 7815->7816 7816->7817 7817->7377 7819 392e0b 7818->7819 7820 392e10 LoadLibraryA 7818->7820 7819->7820 7821 392e17 7819->7821 7820->7821 7822 392ef1 7821->7822 7823 392e28 GetProcAddress 7821->7823 7822->7798 7822->7804 7823->7822 7824 392e3e GetProcessHeap HeapAlloc 7823->7824 7826 392e62 7824->7826 7825 392ede GetProcessHeap HeapFree 7825->7822 7826->7822 7826->7825 7827 392e7f htons inet_addr 7826->7827 7828 392ea5 gethostbyname 7826->7828 7830 392ceb 7826->7830 7827->7826 7827->7828 7828->7826 7831 392cf2 7830->7831 7833 392d1c 7831->7833 7834 392d0e Sleep 7831->7834 7835 392a62 GetProcessHeap HeapAlloc 7831->7835 7833->7826 7834->7831 7834->7833 7836 392a99 socket 7835->7836 7837 392a92 7835->7837 7838 392cd3 GetProcessHeap HeapFree 7836->7838 7839 392ab4 7836->7839 7837->7831 7838->7837 7839->7838 7853 392abd 7839->7853 7840 392adb htons 7855 3926ff 7840->7855 7842 392b04 select 7842->7853 7843 392ca4 7844 392cb3 GetProcessHeap HeapFree closesocket 7843->7844 7844->7837 7845 392b3f recv 7845->7853 7846 392b66 htons 7846->7843 7846->7853 7847 392b87 htons 7847->7843 7847->7853 7850 392bf3 GetProcessHeap HeapAlloc 7850->7853 7851 392c17 htons 7870 392871 7851->7870 7853->7840 7853->7842 7853->7843 7853->7844 7853->7845 7853->7846 7853->7847 7853->7850 7853->7851 7854 392c4d GetProcessHeap HeapFree 7853->7854 7862 392923 7853->7862 7874 392904 7853->7874 7854->7853 7856 39271d 7855->7856 7857 392717 7855->7857 7859 39272b GetTickCount htons 7856->7859 7858 39ebcc 4 API calls 7857->7858 7858->7856 7860 3927cc htons htons sendto 7859->7860 7861 39278a 7859->7861 7860->7853 7861->7860 7863 39293d 7862->7863 7864 392944 7862->7864 7863->7853 7878 392816 htons 7864->7878 7866 392871 htons 7869 392950 7866->7869 7867 3929bd htons htons htons 7867->7863 7868 3929f6 GetProcessHeap HeapAlloc 7867->7868 7868->7863 7868->7869 7869->7863 7869->7866 7869->7867 7871 3928e3 7870->7871 7872 392889 7870->7872 7871->7853 7872->7871 7873 3928c3 htons 7872->7873 7873->7871 7873->7872 7875 392908 7874->7875 7876 392921 7874->7876 7877 392909 GetProcessHeap HeapFree 7875->7877 7876->7853 7877->7876 7877->7877 7879 39286b 7878->7879 7880 392836 7878->7880 7879->7869 7880->7879 7881 39285c htons 7880->7881 7881->7879 7881->7880 7883 396bbc 7882->7883 7884 396bc0 7882->7884 7883->7410 7885 396bd4 7884->7885 7886 39ebcc 4 API calls 7884->7886 7885->7410 7887 396be4 7886->7887 7887->7885 7888 396bfc 7887->7888 7889 396c07 CreateFileA 7887->7889 7890 39ec2e codecvt 4 API calls 7888->7890 7891 396c2a 7889->7891 7892 396c34 WriteFile 7889->7892 7890->7885 7895 39ec2e codecvt 4 API calls 7891->7895 7893 396c49 CloseHandle DeleteFileA 7892->7893 7894 396c5a CloseHandle 7892->7894 7893->7891 7896 39ec2e codecvt 4 API calls 7894->7896 7895->7885 7896->7885 7938 395e21 7939 395e29 7938->7939 7940 395e36 7938->7940 7942 3950dc 7939->7942 7943 394bd1 4 API calls 7942->7943 7944 3950f2 7943->7944 7945 394ae6 8 API calls 7944->7945 7951 3950ff 7945->7951 7946 395130 7948 394ae6 8 API calls 7946->7948 7947 394ae6 8 API calls 7949 395110 lstrcmpA 7947->7949 7950 395138 7948->7950 7949->7946 7949->7951 7953 39516e 7950->7953 7954 394ae6 8 API calls 7950->7954 7984 39513e 7950->7984 7951->7946 7951->7947 7952 394ae6 8 API calls 7951->7952 7952->7951 7955 394ae6 8 API calls 7953->7955 7953->7984 7956 39515e 7954->7956 7957 3951b6 7955->7957 7956->7953 7958 394ae6 8 API calls 7956->7958 7985 394a3d 7957->7985 7958->7953 7961 394ae6 8 API calls 7962 3951c7 7961->7962 7963 394ae6 8 API calls 7962->7963 7964 3951d7 7963->7964 7965 394ae6 8 API calls 7964->7965 7966 3951e7 7965->7966 7967 394ae6 8 API calls 7966->7967 7966->7984 7968 395219 7967->7968 7969 394ae6 8 API calls 7968->7969 7970 395227 7969->7970 7971 394ae6 8 API calls 7970->7971 7972 39524f lstrcpyA 7971->7972 7973 394ae6 8 API calls 7972->7973 7976 395263 7973->7976 7974 394ae6 8 API calls 7975 395315 7974->7975 7977 394ae6 8 API calls 7975->7977 7976->7974 7978 395323 7977->7978 7979 394ae6 8 API calls 7978->7979 7981 395331 7979->7981 7980 394ae6 8 API calls 7980->7981 7981->7980 7982 394ae6 8 API calls 7981->7982 7981->7984 7983 395351 lstrcmpA 7982->7983 7983->7981 7983->7984 7984->7940 7986 394a4a 7985->7986 7987 394a53 7985->7987 7988 39ebed 8 API calls 7986->7988 7989 394a78 7987->7989 7990 39ebed 8 API calls 7987->7990 7988->7987 7991 394a8e 7989->7991 7992 394aa3 7989->7992 7990->7989 7993 394a9b 7991->7993 7995 39ec2e codecvt 4 API calls 7991->7995 7992->7993 7994 39ebed 8 API calls 7992->7994 7993->7961 7994->7993 7995->7993 8093 394861 IsBadWritePtr 8094 394876 8093->8094 8095 399961 RegisterServiceCtrlHandlerA 8096 39997d 8095->8096 8097 3999cb 8095->8097 8105 399892 8096->8105 8099 39999a 8100 3999ba 8099->8100 8101 399892 SetServiceStatus 8099->8101 8100->8097 8102 399892 SetServiceStatus 8100->8102 8103 3999aa 8101->8103 8102->8097 8103->8100 8104 3998f2 41 API calls 8103->8104 8104->8100 8106 3998c2 SetServiceStatus 8105->8106 8106->8099 8108 394960 8109 39496d 8108->8109 8111 39497d 8108->8111 8110 39ebed 8 API calls 8109->8110 8110->8111 7996 3935a5 7997 3930fa 4 API calls 7996->7997 7999 3935b3 7997->7999 7998 3935ea 7999->7998 8003 39355d 7999->8003 8001 3935da 8001->7998 8002 39355d 4 API calls 8001->8002 8002->7998 8004 39f04e 4 API calls 8003->8004 8005 39356a 8004->8005 8005->8001 8006 395099 8007 394bd1 4 API calls 8006->8007 8008 3950a2 8007->8008 8116 39195b 8117 39196b 8116->8117 8118 391971 8116->8118 8119 39ec2e codecvt 4 API calls 8117->8119 8119->8118 8009 396511 wsprintfA IsBadReadPtr 8010 39656a htonl htonl wsprintfA wsprintfA 8009->8010 8011 39674e 8009->8011 8012 3965f3 8010->8012 8013 39e318 23 API calls 8011->8013 8015 39668a GetCurrentProcess StackWalk64 8012->8015 8016 3966a0 wsprintfA 8012->8016 8018 396652 wsprintfA 8012->8018 8014 396753 ExitProcess 8013->8014 8015->8012 8015->8016 8017 3966ba 8016->8017 8019 396712 wsprintfA 8017->8019 8020 3966da wsprintfA 8017->8020 8021 3966ed wsprintfA 8017->8021 8018->8012 8022 39e8a1 30 API calls 8019->8022 8020->8021 8021->8017 8023 396739 8022->8023 8024 39e318 23 API calls 8023->8024 8025 396741 8024->8025 8120 398c51 8121 398c5d 8120->8121 8122 398c86 8120->8122 8124 398c7d 8121->8124 8125 398c6e 8121->8125 8123 398c8b lstrcmpA 8122->8123 8133 398c7b 8122->8133 8127 398c9e 8123->8127 8123->8133 8142 398bb3 8124->8142 8134 398be7 8125->8134 8126 398cad 8132 39ebcc 4 API calls 8126->8132 8126->8133 8127->8126 8128 39ec2e codecvt 4 API calls 8127->8128 8128->8126 8132->8133 8135 398c2a 8134->8135 8136 398bf2 8134->8136 8135->8133 8137 398bb3 6 API calls 8136->8137 8138 398bf8 8137->8138 8146 396410 8138->8146 8140 398c01 8140->8135 8161 396246 8140->8161 8143 398bbc 8142->8143 8145 398be4 8142->8145 8144 396246 6 API calls 8143->8144 8143->8145 8144->8145 8147 39641e 8146->8147 8148 396421 8146->8148 8147->8140 8149 39643a 8148->8149 8150 39643e VirtualAlloc 8148->8150 8149->8140 8151 39645b VirtualAlloc 8150->8151 8152 396472 8150->8152 8151->8152 8160 3964fb 8151->8160 8153 39ebcc 4 API calls 8152->8153 8154 396479 8153->8154 8154->8160 8171 396069 8154->8171 8157 3964da 8159 396246 6 API calls 8157->8159 8157->8160 8159->8160 8160->8140 8162 3962b3 8161->8162 8165 396252 8161->8165 8162->8135 8163 396297 8166 3962ad 8163->8166 8167 3962a0 VirtualFree 8163->8167 8164 39628f 8169 39ec2e codecvt 4 API calls 8164->8169 8165->8163 8165->8164 8168 396281 FreeLibrary 8165->8168 8170 39ec2e codecvt 4 API calls 8166->8170 8167->8166 8168->8165 8169->8163 8170->8162 8172 396090 IsBadReadPtr 8171->8172 8174 396089 8171->8174 8172->8174 8178 3960aa 8172->8178 8173 3960c0 LoadLibraryA 8173->8174 8173->8178 8174->8157 8181 395f3f 8174->8181 8175 39ebcc 4 API calls 8175->8178 8176 39ebed 8 API calls 8176->8178 8177 396191 IsBadReadPtr 8177->8174 8177->8178 8178->8173 8178->8174 8178->8175 8178->8176 8178->8177 8179 396141 GetProcAddress 8178->8179 8180 396155 GetProcAddress 8178->8180 8179->8178 8180->8178 8182 395fe6 8181->8182 8184 395f61 8181->8184 8182->8157 8183 395fbf VirtualProtect 8183->8182 8183->8184 8184->8182 8184->8183 8026 395d93 IsBadWritePtr 8027 395ddc 8026->8027 8028 395da8 8026->8028 8028->8027 8029 395389 12 API calls 8028->8029 8029->8027 8185 395453 8190 39543a 8185->8190 8193 395048 8190->8193 8194 394bd1 4 API calls 8193->8194 8195 395056 8194->8195 8196 39ec2e codecvt 4 API calls 8195->8196 8197 39508b 8195->8197 8196->8197 8198 394ed3 8203 394c9a 8198->8203 8204 394ca9 8203->8204 8205 394cd8 8203->8205 8206 39ec2e codecvt 4 API calls 8204->8206 8206->8205 8030 394e92 GetTickCount 8031 394ec0 InterlockedExchange 8030->8031 8032 394ec9 8031->8032 8033 394ead GetTickCount 8031->8033 8033->8032 8034 394eb8 Sleep 8033->8034 8034->8031 8207 3943d2 8208 3943e0 8207->8208 8209 391940 4 API calls 8208->8209 8210 3943ef 8208->8210 8209->8210 8035 398314 8036 39675c 21 API calls 8035->8036 8037 398324 8036->8037 8211 39e749 8212 39dd05 6 API calls 8211->8212 8213 39e751 8212->8213 8214 39e781 lstrcmpA 8213->8214 8215 39e799 8213->8215 8214->8213 8038 39448b 8039 394499 8038->8039 8041 3944ab 8039->8041 8042 391940 8039->8042 8043 39ec2e codecvt 4 API calls 8042->8043 8044 391949 8043->8044 8044->8041 8054 395e0d 8055 3950dc 17 API calls 8054->8055 8056 395e20 8055->8056 8057 394c0d 8058 394ae6 8 API calls 8057->8058 8059 394c17 8058->8059 8220 395e4d 8221 395048 8 API calls 8220->8221 8222 395e55 8221->8222 8223 395e64 8222->8223 8224 391940 4 API calls 8222->8224 8224->8223 8060 39f483 WSAStartup 8061 395c05 IsBadWritePtr 8062 395ca6 8061->8062 8063 395c24 IsBadWritePtr 8061->8063 8063->8062 8064 395c32 8063->8064 8065 395c82 8064->8065 8067 394bd1 4 API calls 8064->8067 8066 394bd1 4 API calls 8065->8066 8068 395c90 8066->8068 8067->8065 8069 395472 18 API calls 8068->8069 8069->8062 8070 39f304 8073 39f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8070->8073 8072 39f312 8073->8072 8074 395b84 IsBadWritePtr 8075 395b99 8074->8075 8076 395b9d 8074->8076 8077 394bd1 4 API calls 8076->8077 8078 395bcc 8077->8078 8079 395472 18 API calls 8078->8079 8080 395be5 8079->8080
                                                                                                                      APIs
                                                                                                                      • closesocket.WS2_32(?), ref: 0039CA4E
                                                                                                                      • closesocket.WS2_32(?), ref: 0039CB63
                                                                                                                      • GetTempPathA.KERNEL32(00000120,?), ref: 0039CC28
                                                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0039CCB4
                                                                                                                      • WriteFile.KERNEL32(0039A4B3,?,-000000E8,?,00000000), ref: 0039CCDC
                                                                                                                      • CloseHandle.KERNEL32(0039A4B3), ref: 0039CCED
                                                                                                                      • wsprintfA.USER32 ref: 0039CD21
                                                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0039CD77
                                                                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0039CD89
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0039CD98
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0039CD9D
                                                                                                                      • DeleteFileA.KERNEL32(?), ref: 0039CDC4
                                                                                                                      • CloseHandle.KERNEL32(0039A4B3), ref: 0039CDCC
                                                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0039CFB1
                                                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0039CFEF
                                                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0039D033
                                                                                                                      • lstrcatA.KERNEL32(?,03B00108), ref: 0039D10C
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 0039D155
                                                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0039D171
                                                                                                                      • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000), ref: 0039D195
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0039D19C
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 0039D1C8
                                                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0039D231
                                                                                                                      • lstrcatA.KERNEL32(?,03B00108,?,?,?,?,?,?,?,00000100), ref: 0039D27C
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0039D2AB
                                                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0039D2C7
                                                                                                                      • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0039D2EB
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0039D2F2
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0039D326
                                                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0039D372
                                                                                                                      • lstrcatA.KERNEL32(?,03B00108,?,?,?,?,?,?,?,00000100), ref: 0039D3BD
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0039D3EC
                                                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0039D408
                                                                                                                      • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0039D428
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0039D42F
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0039D45B
                                                                                                                      • CreateProcessA.KERNEL32(?,003A0264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0039D4DE
                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0039D4F4
                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0039D4FC
                                                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0039D513
                                                                                                                      • closesocket.WS2_32(?), ref: 0039D56C
                                                                                                                      • Sleep.KERNEL32(000003E8), ref: 0039D577
                                                                                                                      • ExitProcess.KERNEL32 ref: 0039D583
                                                                                                                      • wsprintfA.USER32 ref: 0039D81F
                                                                                                                        • Part of subcall function 0039C65C: send.WS2_32(00000000,?,00000000), ref: 0039C74B
                                                                                                                      • closesocket.WS2_32(?), ref: 0039DAD5
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                                      • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe$X :$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                                      • API String ID: 562065436-1124047327
                                                                                                                      • Opcode ID: dbb14f96a78b2f962b86f57393ba482b1a99706d84013be14fc92c61593e8e83
                                                                                                                      • Instruction ID: 96f7ddda8afc410ad32f51093a3d1f30e829d80c2c621cce764bc9f80b85a82a
                                                                                                                      • Opcode Fuzzy Hash: dbb14f96a78b2f962b86f57393ba482b1a99706d84013be14fc92c61593e8e83
                                                                                                                      • Instruction Fuzzy Hash: D3B2A272940209AFEF27DFA4DC8AEEEBBBCEB06304F150469F545A7191D7309A45CB50
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00399A7F
                                                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00399A83
                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00396511), ref: 00399A8A
                                                                                                                        • Part of subcall function 0039EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0039EC5E
                                                                                                                        • Part of subcall function 0039EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0039EC72
                                                                                                                        • Part of subcall function 0039EC54: GetTickCount.KERNEL32 ref: 0039EC78
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00399AB3
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00399ABA
                                                                                                                      • GetCommandLineA.KERNEL32 ref: 00399AFD
                                                                                                                      • lstrlenA.KERNEL32(?), ref: 00399B99
                                                                                                                      • ExitProcess.KERNEL32 ref: 00399C06
                                                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00399CAC
                                                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00399D7A
                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 00399D8B
                                                                                                                      • lstrcatA.KERNEL32(?,003A070C), ref: 00399D9D
                                                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00399DED
                                                                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00399E38
                                                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00399E6F
                                                                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00399EC8
                                                                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00399ED5
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00399F3B
                                                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00399F5E
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00399F6A
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00399FAD
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00399FB4
                                                                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00399FFE
                                                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0039A038
                                                                                                                      • lstrcatA.KERNEL32(00000022,003A0A34), ref: 0039A05E
                                                                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0039A072
                                                                                                                      • lstrcatA.KERNEL32(00000022,003A0A34), ref: 0039A08D
                                                                                                                      • wsprintfA.USER32 ref: 0039A0B6
                                                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0039A0DE
                                                                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0039A0FD
                                                                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0039A120
                                                                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0039A131
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0039A174
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0039A17B
                                                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0039A1B6
                                                                                                                      • GetCommandLineA.KERNEL32 ref: 0039A1E5
                                                                                                                        • Part of subcall function 003999D2: lstrcpyA.KERNEL32(?,?,00000100,003A22F8,00000000,?,00399E9D,?,00000022,?,?,?,?,?,?,?), ref: 003999DF
                                                                                                                        • Part of subcall function 003999D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00399E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00399A3C
                                                                                                                        • Part of subcall function 003999D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00399E9D,?,00000022,?,?,?), ref: 00399A52
                                                                                                                      • lstrlenA.KERNEL32(?), ref: 0039A288
                                                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0039A3B7
                                                                                                                      • GetLastError.KERNEL32 ref: 0039A3ED
                                                                                                                      • Sleep.KERNELBASE(000003E8), ref: 0039A400
                                                                                                                      • DeleteFileA.KERNELBASE(003A33D8), ref: 0039A407
                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,0039405E,00000000,00000000,00000000), ref: 0039A42C
                                                                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0039A43A
                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,0039877E,00000000,00000000,00000000), ref: 0039A469
                                                                                                                      • Sleep.KERNELBASE(00000BB8), ref: 0039A48A
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039A49F
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039A4B7
                                                                                                                      • Sleep.KERNELBASE(00001A90), ref: 0039A4C3
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                                      • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe$D$P$\$yuzqifwu
                                                                                                                      • API String ID: 2089075347-3744760464
                                                                                                                      • Opcode ID: 5f8666e67b57d1ba8aae4623c8f58dc0bc062e1b9a09d022a86c526bc6e04d31
                                                                                                                      • Instruction ID: 58580bb01277af12c5db38b19c51ae660bd2b5f95934d15c9225c409f485e52e
                                                                                                                      • Opcode Fuzzy Hash: 5f8666e67b57d1ba8aae4623c8f58dc0bc062e1b9a09d022a86c526bc6e04d31
                                                                                                                      • Instruction Fuzzy Hash: 67529FB1D40259AFDF23DFA4CC89EEE7BBCEB05300F1545AAF509A6141E7709A448F61

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 905 39199c-3919cc inet_addr LoadLibraryA 906 3919ce-3919d0 905->906 907 3919d5-3919fe GetProcAddress * 3 905->907 908 391abf-391ac2 906->908 909 391ab3-391ab6 FreeLibrary 907->909 910 391a04-391a06 907->910 912 391abc 909->912 910->909 911 391a0c-391a0e 910->911 911->909 913 391a14-391a28 GetBestInterface GetProcessHeap 911->913 914 391abe 912->914 913->912 915 391a2e-391a40 HeapAlloc 913->915 914->908 915->912 916 391a42-391a50 GetAdaptersInfo 915->916 917 391a62-391a67 916->917 918 391a52-391a60 HeapReAlloc 916->918 919 391a69-391a73 GetAdaptersInfo 917->919 920 391aa1-391aad FreeLibrary 917->920 918->917 919->920 921 391a75 919->921 920->912 922 391aaf-391ab1 920->922 923 391a77-391a80 921->923 922->914 924 391a8a-391a91 923->924 925 391a82-391a86 923->925 927 391a93 924->927 928 391a96-391a9b HeapFree 924->928 925->923 926 391a88 925->926 926->928 927->928 928->920
                                                                                                                      APIs
                                                                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 003919B1
                                                                                                                      • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,00391E9E), ref: 003919BF
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 003919E2
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 003919ED
                                                                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 003919F9
                                                                                                                      • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,00391E9E), ref: 00391A1B
                                                                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00391E9E), ref: 00391A1D
                                                                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00391E9E), ref: 00391A36
                                                                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,00391E9E,?,?,?,?,00000001,00391E9E), ref: 00391A4A
                                                                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00391E9E,?,?,?,?,00000001,00391E9E), ref: 00391A5A
                                                                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,00391E9E,?,?,?,?,00000001,00391E9E), ref: 00391A6E
                                                                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00391E9E), ref: 00391A9B
                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00391E9E), ref: 00391AA4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                                      • API String ID: 293628436-270533642
                                                                                                                      • Opcode ID: d1559768d52802eec1f86a1e7eab7d6b28ef83170b01104c0097222b5724d20d
                                                                                                                      • Instruction ID: a9252751060b5e0344f1bc9b74073f6c51dc20b045db041a1a722a9dcbbd9636
                                                                                                                      • Opcode Fuzzy Hash: d1559768d52802eec1f86a1e7eab7d6b28ef83170b01104c0097222b5724d20d
                                                                                                                      • Instruction Fuzzy Hash: 26314736E4125AAFCF169FE4CC888BEBBB9EF46341F25056AE501B2110D7308E40DB90

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 696 397a95-397ac2 RegOpenKeyExA 697 397acb-397ae7 GetUserNameA 696->697 698 397ac4-397ac6 696->698 700 397aed-397b1e LookupAccountNameA 697->700 701 397da7-397db3 RegCloseKey 697->701 699 397db4-397db6 698->699 700->701 702 397b24-397b43 RegGetKeySecurity 700->702 701->699 702->701 703 397b49-397b61 GetSecurityDescriptorOwner 702->703 704 397bb8-397bd6 GetSecurityDescriptorDacl 703->704 705 397b63-397b72 EqualSid 703->705 706 397bdc-397be1 704->706 707 397da6 704->707 705->704 708 397b74-397b88 LocalAlloc 705->708 706->707 709 397be7-397bf2 706->709 707->701 708->704 710 397b8a-397b94 InitializeSecurityDescriptor 708->710 709->707 711 397bf8-397c08 GetAce 709->711 712 397bb1-397bb2 LocalFree 710->712 713 397b96-397ba4 SetSecurityDescriptorOwner 710->713 714 397c0e-397c1b 711->714 715 397cc6 711->715 712->704 713->712 716 397ba6-397bab RegSetKeySecurity 713->716 718 397c1d-397c2f EqualSid 714->718 719 397c4f-397c52 714->719 717 397cc9-397cd3 715->717 716->712 717->711 720 397cd9-397cdc 717->720 721 397c31-397c34 718->721 722 397c36-397c38 718->722 723 397c5f-397c71 EqualSid 719->723 724 397c54-397c5e 719->724 720->707 725 397ce2-397ce8 720->725 721->718 721->722 722->719 726 397c3a-397c4d DeleteAce 722->726 727 397c73-397c84 723->727 728 397c86 723->728 724->723 729 397d5a-397d6e LocalAlloc 725->729 730 397cea-397cf0 725->730 726->717 731 397c8b-397c8e 727->731 728->731 729->707 735 397d70-397d7a InitializeSecurityDescriptor 729->735 730->729 732 397cf2-397d0d RegOpenKeyExA 730->732 733 397c9d-397c9f 731->733 734 397c90-397c96 731->734 732->729 740 397d0f-397d16 732->740 736 397ca1-397ca5 733->736 737 397ca7-397cc3 733->737 734->733 738 397d7c-397d8a SetSecurityDescriptorDacl 735->738 739 397d9f-397da0 LocalFree 735->739 736->715 736->737 737->715 738->739 741 397d8c-397d9a RegSetKeySecurity 738->741 739->707 742 397d19-397d1e 740->742 741->739 743 397d9c 741->743 742->742 744 397d20-397d52 call 392544 RegSetValueExA 742->744 743->739 744->729 747 397d54 744->747 747->729
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00397ABA
                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00397ADF
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,003A070C,?,?,?), ref: 00397B16
                                                                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00397B3B
                                                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00397B59
                                                                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00397B6A
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00397B7E
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00397B8C
                                                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00397B9C
                                                                                                                      • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 00397BAB
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 00397BB2
                                                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00397FC9,?,00000000), ref: 00397BCE
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                      • String ID: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe$D
                                                                                                                      • API String ID: 2976863881-493086155
                                                                                                                      • Opcode ID: 93c52175b265c2a65b7b833018675e9e442dc52467f7ca284db61d4b189f77ac
                                                                                                                      • Instruction ID: 21ddcc69f01bf43dfb83d8f6c386ae3ad5e18b50cf44c4e6aa294439b97a27ba
                                                                                                                      • Opcode Fuzzy Hash: 93c52175b265c2a65b7b833018675e9e442dc52467f7ca284db61d4b189f77ac
                                                                                                                      • Instruction Fuzzy Hash: 7BA12772A04219ABEF16DFA4DC88FEEBBBDFF49700F054069E505E2190E7359A45CB60

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 748 397809-397837 GetUserNameA 749 39783d-39786e LookupAccountNameA 748->749 750 397a8e-397a94 748->750 749->750 751 397874-3978a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 3978a8-3978c3 GetSecurityDescriptorOwner 751->752 753 39791d-39793b GetSecurityDescriptorDacl 752->753 754 3978c5-3978da EqualSid 752->754 755 397a8d 753->755 756 397941-397946 753->756 754->753 757 3978dc-3978ed LocalAlloc 754->757 755->750 756->755 758 39794c-397955 756->758 757->753 759 3978ef-3978f9 InitializeSecurityDescriptor 757->759 758->755 760 39795b-39796b GetAce 758->760 761 3978fb-397909 SetSecurityDescriptorOwner 759->761 762 397916-397917 LocalFree 759->762 763 397a2a 760->763 764 397971-39797e 760->764 761->762 765 39790b-397910 SetFileSecurityA 761->765 762->753 768 397a2d-397a37 763->768 766 3979ae-3979b1 764->766 767 397980-397992 EqualSid 764->767 765->762 772 3979be-3979d0 EqualSid 766->772 773 3979b3-3979bd 766->773 769 397999-39799b 767->769 770 397994-397997 767->770 768->760 771 397a3d-397a41 768->771 769->766 774 39799d-3979ac DeleteAce 769->774 770->767 770->769 771->755 775 397a43-397a54 LocalAlloc 771->775 776 3979d2-3979e3 772->776 777 3979e5 772->777 773->772 774->768 775->755 778 397a56-397a60 InitializeSecurityDescriptor 775->778 779 3979ea-3979ed 776->779 777->779 780 397a62-397a71 SetSecurityDescriptorDacl 778->780 781 397a86-397a87 LocalFree 778->781 782 3979f8-3979fb 779->782 783 3979ef-3979f5 779->783 780->781 786 397a73-397a81 SetFileSecurityA 780->786 781->755 784 3979fd-397a01 782->784 785 397a03-397a0e 782->785 783->782 784->763 784->785 787 397a19-397a24 785->787 788 397a10-397a17 785->788 786->781 789 397a83 786->789 790 397a27 787->790 788->790 789->781 790->763
                                                                                                                      APIs
                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0039782F
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00397866
                                                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00397878
                                                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0039789A
                                                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00397F63,?), ref: 003978B8
                                                                                                                      • EqualSid.ADVAPI32(?,00397F63), ref: 003978D2
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 003978E3
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 003978F1
                                                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00397901
                                                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00397910
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 00397917
                                                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00397933
                                                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00397963
                                                                                                                      • EqualSid.ADVAPI32(?,00397F63), ref: 0039798A
                                                                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 003979A3
                                                                                                                      • EqualSid.ADVAPI32(?,00397F63), ref: 003979C5
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00397A4A
                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00397A58
                                                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00397A69
                                                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00397A79
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 00397A87
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                      • String ID: D
                                                                                                                      • API String ID: 3722657555-2746444292
                                                                                                                      • Opcode ID: 130c90072749249fcc0fac1f306d832a33528c5c38f76cae19d07b7c11ab388b
                                                                                                                      • Instruction ID: 13acd9f2e20a53bc0146f0f7124136e96cf0fa1bd404323145c1c545af851fa5
                                                                                                                      • Opcode Fuzzy Hash: 130c90072749249fcc0fac1f306d832a33528c5c38f76cae19d07b7c11ab388b
                                                                                                                      • Instruction Fuzzy Hash: 2081287191421AABDF22CFA4CD84FEEBBBCFF09740F15416AE505E2290D7359A41CBA1

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 791 398328-39833e call 397dd6 794 398348-398356 call 396ec3 791->794 795 398340-398343 791->795 799 39846b-398474 794->799 800 39835c-398378 call 3973ff 794->800 796 39877b-39877d 795->796 802 39847a-398480 799->802 803 3985c2-3985ce 799->803 810 39837e-398384 800->810 811 398464-398466 800->811 802->803 807 398486-3984ba call 392544 RegOpenKeyExA 802->807 805 3985d0-3985da call 39675c 803->805 806 398615-398620 803->806 818 3985df-3985eb 805->818 808 3986a7-3986b0 call 396ba7 806->808 809 398626-39864c GetTempPathA call 398274 call 39eca5 806->809 820 3984c0-3984db RegQueryValueExA 807->820 821 398543-398571 call 392544 RegOpenKeyExA 807->821 828 398762 808->828 829 3986b6-3986bd call 397e2f 808->829 849 39864e-39866f call 39eca5 809->849 850 398671-3986a4 call 392544 call 39ef00 call 39ee2a 809->850 810->811 816 39838a-39838d 810->816 817 398779-39877a 811->817 816->811 824 398393-398399 816->824 817->796 818->806 825 3985ed-3985ef 818->825 826 3984dd-3984e1 820->826 827 398521-39852d RegCloseKey 820->827 842 398573-39857b 821->842 843 3985a5-3985b7 call 39ee2a 821->843 831 39839c-3983a1 824->831 825->806 833 3985f1-3985fa 825->833 826->827 836 3984e3-3984e6 826->836 827->821 840 39852f-398541 call 39eed1 827->840 838 398768-39876b 828->838 858 39875b-39875c DeleteFileA 829->858 859 3986c3-39873b call 39ee2a * 2 lstrcpyA lstrlenA call 397fcf CreateProcessA 829->859 831->831 841 3983a3-3983af 831->841 833->806 835 3985fc-39860f call 3924c2 833->835 835->806 835->838 836->827 845 3984e8-3984f6 call 39ebcc 836->845 847 39876d-398775 call 39ec2e 838->847 848 398776-398778 838->848 840->821 840->843 852 3983b1 841->852 853 3983b3-3983ba 841->853 854 39857e-398583 842->854 843->803 877 3985b9-3985c1 call 39ec2e 843->877 845->827 876 3984f8-398513 RegQueryValueExA 845->876 847->848 848->817 849->850 850->808 852->853 864 398450-39845f call 39ee2a 853->864 865 3983c0-3983fb call 392544 RegOpenKeyExA 853->865 854->854 866 398585-39859f RegSetValueExA RegCloseKey 854->866 858->828 899 39873d-39874d CloseHandle * 2 859->899 900 39874f-39875a call 397ee6 call 397ead 859->900 864->803 865->864 882 3983fd-39841c RegQueryValueExA 865->882 866->843 876->827 883 398515-39851e call 39ec2e 876->883 877->803 887 39842d-398441 RegSetValueExA 882->887 888 39841e-398421 882->888 883->827 894 398447-39844a RegCloseKey 887->894 888->887 893 398423-398426 888->893 893->887 897 398428-39842b 893->897 894->864 897->887 897->894 899->838 900->858
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,003A0750,?,?,00000000,localcfg,00000000), ref: 003983F3
                                                                                                                      • RegQueryValueExA.KERNELBASE(003A0750,?,00000000,?,00398893,?,?,?,00000000,00000103,003A0750,?,?,00000000,localcfg,00000000), ref: 00398414
                                                                                                                      • RegSetValueExA.KERNELBASE(003A0750,?,00000000,00000004,00398893,00000004,?,?,00000000,00000103,003A0750,?,?,00000000,localcfg,00000000), ref: 00398441
                                                                                                                      • RegCloseKey.ADVAPI32(003A0750,?,?,00000000,00000103,003A0750,?,?,00000000,localcfg,00000000), ref: 0039844A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Value$CloseOpenQuery
                                                                                                                      • String ID: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe$localcfg
                                                                                                                      • API String ID: 237177642-3478224671
                                                                                                                      • Opcode ID: 6038392cf7b28b50e25f8b587b135abe2bd2f75a2ad144ecdb9f37a59be65898
                                                                                                                      • Instruction ID: 3e902f436b0d562ae8d11392898f85c7120afa4431c5ffc1a99fa4cf10e34eff
                                                                                                                      • Opcode Fuzzy Hash: 6038392cf7b28b50e25f8b587b135abe2bd2f75a2ad144ecdb9f37a59be65898
                                                                                                                      • Instruction Fuzzy Hash: 6AC190B2D40209BEEF13EFA4DC85EEF7BBCEB46300F154465F605A6051EA709E848B61

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 929 391d96-391dce call 39ee2a GetVersionExA 932 391de0 929->932 933 391dd0-391dde 929->933 934 391de3-391e14 GetSystemInfo GetModuleHandleA GetProcAddress 932->934 933->934 935 391e24-391e59 call 39e819 * 2 934->935 936 391e16-391e21 GetCurrentProcess 934->936 941 391e5b-391e77 call 39df70 * 2 935->941 942 391e7a-391ea0 call 39ea84 call 39e819 call 39199c 935->942 936->935 941->942 953 391ea8 942->953 954 391ea2-391ea6 942->954 955 391eac-391ec1 call 39e819 953->955 954->955 958 391ee0-391ef6 call 39e819 955->958 959 391ec3-391ed3 call 39f04e call 39ea84 955->959 964 391ef8 call 391b71 958->964 965 391f14-391f2b call 39e819 958->965 969 391ed8-391ede 959->969 970 391efd-391f11 call 39ea84 964->970 973 391f49-391f65 call 39e819 965->973 974 391f2d call 391bdf 965->974 969->958 970->965 980 391f7a-391f8c call 3930b5 973->980 981 391f67-391f77 call 39ea84 973->981 979 391f32-391f46 call 39ea84 974->979 979->973 988 391f8e-391f91 980->988 989 391f93-391f9a 980->989 981->980 990 391fbb-391fc0 988->990 991 391f9c-391fa3 call 396ec3 989->991 992 391fb7 989->992 993 391fc9-391fea GetTickCount 990->993 994 391fc2 990->994 997 391fae-391fb5 991->997 998 391fa5-391fac 991->998 992->990 994->993 997->990 998->990
                                                                                                                      APIs
                                                                                                                      • GetVersionExA.KERNEL32 ref: 00391DC6
                                                                                                                      • GetSystemInfo.KERNELBASE(?), ref: 00391DE8
                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00391E03
                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00391E0A
                                                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00391E1B
                                                                                                                      • GetTickCount.KERNEL32 ref: 00391FC9
                                                                                                                        • Part of subcall function 00391BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00391C15
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                                      • API String ID: 4207808166-1381319158
                                                                                                                      • Opcode ID: 9d6ffb8321dcede3feb8a15ef169449e999527eb7dbd7589d2542c985e1be97b
                                                                                                                      • Instruction ID: 36d1809c5f8fd7f8eb4ca58bfe683d50c080e9b1d20df690f7b997039ceb9308
                                                                                                                      • Opcode Fuzzy Hash: 9d6ffb8321dcede3feb8a15ef169449e999527eb7dbd7589d2542c985e1be97b
                                                                                                                      • Instruction Fuzzy Hash: FF5125B09043456FEB36EF758C86F67BAECEF46704F04091CF58696282E774A904C7A1

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 999 3973ff-397419 1000 39741b 999->1000 1001 39741d-397422 999->1001 1000->1001 1002 397424 1001->1002 1003 397426-39742b 1001->1003 1002->1003 1004 39742d 1003->1004 1005 397430-397435 1003->1005 1004->1005 1006 39743a-397481 call 396dc2 call 392544 RegOpenKeyExA 1005->1006 1007 397437 1005->1007 1012 3977f9-3977fe call 39ee2a 1006->1012 1013 397487-39749d call 39ee2a 1006->1013 1007->1006 1018 397801 1012->1018 1019 397703-39770e RegEnumKeyA 1013->1019 1022 397804-397808 1018->1022 1020 3974a2-3974b1 call 396cad 1019->1020 1021 397714-39771d RegCloseKey 1019->1021 1025 3976ed-397700 1020->1025 1026 3974b7-3974cc call 39f1a5 1020->1026 1021->1018 1025->1019 1026->1025 1029 3974d2-3974f8 RegOpenKeyExA 1026->1029 1030 3974fe-397530 call 392544 RegQueryValueExA 1029->1030 1031 397727-39772a 1029->1031 1030->1031 1038 397536-39753c 1030->1038 1033 39772c-397740 call 39ef00 1031->1033 1034 397755-397764 call 39ee2a 1031->1034 1042 39774b-39774e 1033->1042 1043 397742-397745 RegCloseKey 1033->1043 1044 3976df-3976e2 1034->1044 1041 39753f-397544 1038->1041 1041->1041 1045 397546-39754b 1041->1045 1046 3977ec-3977f7 RegCloseKey 1042->1046 1043->1042 1044->1025 1047 3976e4-3976e7 RegCloseKey 1044->1047 1045->1034 1048 397551-39756b call 39ee95 1045->1048 1046->1022 1047->1025 1048->1034 1051 397571-397593 call 392544 call 39ee95 1048->1051 1056 397599-3975a0 1051->1056 1057 397753 1051->1057 1058 3975c8-3975d7 call 39ed03 1056->1058 1059 3975a2-3975c6 call 39ef00 call 39ed03 1056->1059 1057->1034 1065 3975d8-3975da 1058->1065 1059->1065 1067 3975dc 1065->1067 1068 3975df-397623 call 39ee95 call 392544 call 39ee95 call 39ee2a 1065->1068 1067->1068 1077 397626-39762b 1068->1077 1077->1077 1078 39762d-397634 1077->1078 1079 397637-39763c 1078->1079 1079->1079 1080 39763e-397642 1079->1080 1081 39765c-397673 call 39ed23 1080->1081 1082 397644-397656 call 39ed77 1080->1082 1088 397680 1081->1088 1089 397675-39767e 1081->1089 1082->1081 1087 397769-39777c call 39ef00 1082->1087 1094 3977e3-3977e6 RegCloseKey 1087->1094 1090 397683-39768e call 396cad 1088->1090 1089->1090 1096 397722-397725 1090->1096 1097 397694-3976bf call 39f1a5 call 396c96 1090->1097 1094->1046 1098 3976dd 1096->1098 1103 3976d8 1097->1103 1104 3976c1-3976c7 1097->1104 1098->1044 1103->1098 1104->1103 1105 3976c9-3976d2 1104->1105 1105->1103 1106 39777e-397797 GetFileAttributesExA 1105->1106 1107 397799 1106->1107 1108 39779a-39779f 1106->1108 1107->1108 1109 3977a1 1108->1109 1110 3977a3-3977a8 1108->1110 1109->1110 1111 3977aa-3977c0 call 39ee08 1110->1111 1112 3977c4-3977c8 1110->1112 1111->1112 1114 3977ca-3977d6 call 39ef00 1112->1114 1115 3977d7-3977dc 1112->1115 1114->1115 1118 3977de 1115->1118 1119 3977e0-3977e2 1115->1119 1118->1119 1119->1094
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 00397472
                                                                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 003974F0
                                                                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 00397528
                                                                                                                      • ___ascii_stricmp.LIBCMT ref: 0039764D
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 003976E7
                                                                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00397706
                                                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 00397717
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 00397745
                                                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 003977EF
                                                                                                                        • Part of subcall function 0039F1A5: lstrlenA.KERNEL32(000000C8,000000E4,003A22F8,000000C8,00397150,?), ref: 0039F1AD
                                                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0039778F
                                                                                                                      • RegCloseKey.KERNELBASE(?), ref: 003977E6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                      • String ID: "
                                                                                                                      • API String ID: 3433985886-123907689
                                                                                                                      • Opcode ID: f35494994152cf0d84539d8432929a41d0d0c2a9627f26f60e10b0ce39c73003
                                                                                                                      • Instruction ID: 984d055457387c5b19c050dd55183c021162930a982185314451e98126148751
                                                                                                                      • Opcode Fuzzy Hash: f35494994152cf0d84539d8432929a41d0d0c2a9627f26f60e10b0ce39c73003
                                                                                                                      • Instruction Fuzzy Hash: 10C18E72914209AFEF23DBA4DC45BEEBBBDEF45310F1500A5F504EA191EA31DE448B60

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1121 39675c-396778 1122 39677a-39677e SetFileAttributesA 1121->1122 1123 396784-3967a2 CreateFileA 1121->1123 1122->1123 1124 3967b5-3967b8 1123->1124 1125 3967a4-3967b2 CreateFileA 1123->1125 1126 3967ba-3967bf SetFileAttributesA 1124->1126 1127 3967c5-3967c9 1124->1127 1125->1124 1126->1127 1128 3967cf-3967df GetFileSize 1127->1128 1129 396977-396986 1127->1129 1130 39696b 1128->1130 1131 3967e5-3967e7 1128->1131 1132 39696e-396971 CloseHandle 1130->1132 1131->1130 1133 3967ed-39680b ReadFile 1131->1133 1132->1129 1133->1130 1134 396811-396824 SetFilePointer 1133->1134 1134->1130 1135 39682a-396842 ReadFile 1134->1135 1135->1130 1136 396848-396861 SetFilePointer 1135->1136 1136->1130 1137 396867-396876 1136->1137 1138 396878-39688f ReadFile 1137->1138 1139 3968d5-3968df 1137->1139 1140 396891-39689e 1138->1140 1141 3968d2 1138->1141 1139->1132 1142 3968e5-3968eb 1139->1142 1143 3968a0-3968b5 1140->1143 1144 3968b7-3968ba 1140->1144 1141->1139 1145 3968ed 1142->1145 1146 3968f0-3968fe call 39ebcc 1142->1146 1147 3968bd-3968c3 1143->1147 1144->1147 1145->1146 1146->1130 1152 396900-39690b SetFilePointer 1146->1152 1150 3968c8-3968ce 1147->1150 1151 3968c5 1147->1151 1150->1138 1153 3968d0 1150->1153 1151->1150 1154 39695a-396969 call 39ec2e 1152->1154 1155 39690d-396920 ReadFile 1152->1155 1153->1139 1154->1132 1155->1154 1156 396922-396958 1155->1156 1156->1132
                                                                                                                      APIs
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0039677E
                                                                                                                      • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0039679A
                                                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 003967B0
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 003967BF
                                                                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 003967D3
                                                                                                                      • ReadFile.KERNELBASE(000000FF,?,00000040,00398244,00000000,?,76230F10,00000000), ref: 00396807
                                                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0039681F
                                                                                                                      • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0039683E
                                                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0039685C
                                                                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00398244,00000000,?,76230F10,00000000), ref: 0039688B
                                                                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 00396906
                                                                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,00398244,00000000,?,76230F10,00000000), ref: 0039691C
                                                                                                                      • CloseHandle.KERNELBASE(000000FF,?,76230F10,00000000), ref: 00396971
                                                                                                                        • Part of subcall function 0039EC2E: GetProcessHeap.KERNEL32(00000000,'9,00000000,0039EA27,00000000), ref: 0039EC41
                                                                                                                        • Part of subcall function 0039EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0039EC48
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2622201749-0
                                                                                                                      • Opcode ID: 952f2bace849d2f3c756d580176f12b987342e97328ea1a27c69fa3b358734ed
                                                                                                                      • Instruction ID: 4cde3309cbb7d6a8b41980fcd4819754dca8ba5f004aa3595930a60f269cc7d9
                                                                                                                      • Opcode Fuzzy Hash: 952f2bace849d2f3c756d580176f12b987342e97328ea1a27c69fa3b358734ed
                                                                                                                      • Instruction Fuzzy Hash: D0714771C0521DEFDF12DFA4CC81AEEBBB8FB04314F10456AE915A6290E7309E92DB60

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1159 39f315-39f332 1160 39f33b-39f372 call 39ee2a htons socket 1159->1160 1161 39f334-39f336 1159->1161 1165 39f382-39f39b ioctlsocket 1160->1165 1166 39f374-39f37d closesocket 1160->1166 1162 39f424-39f427 1161->1162 1167 39f3aa-39f3f0 connect select 1165->1167 1168 39f39d 1165->1168 1166->1162 1170 39f421 1167->1170 1171 39f3f2-39f401 __WSAFDIsSet 1167->1171 1169 39f39f-39f3a8 closesocket 1168->1169 1172 39f423 1169->1172 1170->1172 1171->1169 1173 39f403-39f416 ioctlsocket call 39f26d 1171->1173 1172->1162 1175 39f41b-39f41f 1173->1175 1175->1172
                                                                                                                      APIs
                                                                                                                      • htons.WS2_32(0039CA1D), ref: 0039F34D
                                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0039F367
                                                                                                                      • closesocket.WS2_32(00000000), ref: 0039F375
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: closesockethtonssocket
                                                                                                                      • String ID: time_cfg
                                                                                                                      • API String ID: 311057483-2401304539
                                                                                                                      • Opcode ID: aa80ad85c37498f144f86053f95f01255461a90f5e81f5f8904b09545c837bb2
                                                                                                                      • Instruction ID: f2cb1a64f5293e66503c0c3bea487ac43ad56d30341bb285ba33708301990852
                                                                                                                      • Opcode Fuzzy Hash: aa80ad85c37498f144f86053f95f01255461a90f5e81f5f8904b09545c837bb2
                                                                                                                      • Instruction Fuzzy Hash: 4B317A76900218AFDB12DFA5DC89AEF7BBCEF89310F104566F915E3151E7709A418BA0

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1176 39405e-39407b CreateEventA 1177 39407d-394081 1176->1177 1178 394084-3940a8 call 393ecd call 394000 1176->1178 1183 3940ae-3940be call 39ee2a 1178->1183 1184 394130-39413e call 39ee2a 1178->1184 1183->1184 1190 3940c0-3940f1 call 39eca5 call 393f18 call 393f8c 1183->1190 1189 39413f-394165 call 393ecd CreateNamedPipeA 1184->1189 1195 394188-394193 ConnectNamedPipe 1189->1195 1196 394167-394174 Sleep 1189->1196 1207 3940f3-3940ff 1190->1207 1208 394127-39412a CloseHandle 1190->1208 1200 3941ab-3941c0 call 393f8c 1195->1200 1201 394195-3941a5 GetLastError 1195->1201 1196->1189 1198 394176-394182 CloseHandle 1196->1198 1198->1195 1200->1195 1209 3941c2-3941f2 call 393f18 call 393f8c 1200->1209 1201->1200 1203 39425e-394265 DisconnectNamedPipe 1201->1203 1203->1195 1207->1208 1210 394101-394121 call 393f18 ExitProcess 1207->1210 1208->1184 1209->1203 1217 3941f4-394200 1209->1217 1217->1203 1218 394202-394215 call 393f8c 1217->1218 1218->1203 1221 394217-39421b 1218->1221 1221->1203 1222 39421d-394230 call 393f8c 1221->1222 1222->1203 1225 394232-394236 1222->1225 1225->1195 1226 39423c-394251 call 393f18 1225->1226 1229 39426a-394276 CloseHandle * 2 call 39e318 1226->1229 1230 394253-394259 1226->1230 1232 39427b 1229->1232 1230->1195 1232->1232
                                                                                                                      APIs
                                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00394070
                                                                                                                      • ExitProcess.KERNEL32 ref: 00394121
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateEventExitProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2404124870-0
                                                                                                                      • Opcode ID: 12be798f8fdfb69ca9de172491d444926ca88dcd94043a03ceb8b4ed9fbc240c
                                                                                                                      • Instruction ID: 0a782d981b3326e39dc92b8059adcb0e3d0c2850638a71aa662ddb2313b921bf
                                                                                                                      • Opcode Fuzzy Hash: 12be798f8fdfb69ca9de172491d444926ca88dcd94043a03ceb8b4ed9fbc240c
                                                                                                                      • Instruction Fuzzy Hash: 1C518EB1D40219BBEF22ABA08C86FBF7B7CEB15714F110065F615AA190E7318E42D7A1

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1233 392d21-392d44 GetModuleHandleA 1234 392d5b-392d69 GetProcAddress 1233->1234 1235 392d46-392d52 LoadLibraryA 1233->1235 1236 392d54-392d56 1234->1236 1237 392d6b-392d7b DnsQuery_A 1234->1237 1235->1234 1235->1236 1238 392dee-392df1 1236->1238 1237->1236 1239 392d7d-392d88 1237->1239 1240 392deb 1239->1240 1241 392d8a-392d8b 1239->1241 1240->1238 1242 392d90-392d95 1241->1242 1243 392de2-392de8 1242->1243 1244 392d97-392daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 392dea 1243->1245 1244->1245 1246 392dac-392dd9 call 39ee2a lstrcpynA 1244->1246 1245->1240 1249 392ddb-392dde 1246->1249 1250 392de0 1246->1250 1249->1243 1250->1243
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00392F01,?,003920FF,003A2000), ref: 00392D3A
                                                                                                                      • LoadLibraryA.KERNEL32(?), ref: 00392D4A
                                                                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00392D61
                                                                                                                      • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 00392D77
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00392D99
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00392DA0
                                                                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00392DCB
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                                                                      • API String ID: 233223969-3847274415
                                                                                                                      • Opcode ID: be3b9000530ee3e764c6672a9fff76a10531f2be2ddab70585ee049158a49134
                                                                                                                      • Instruction ID: 3a3042daada7da703cb097d1b9d451abc48f265436b9eabfedfeeb651ffd7b5e
                                                                                                                      • Opcode Fuzzy Hash: be3b9000530ee3e764c6672a9fff76a10531f2be2ddab70585ee049158a49134
                                                                                                                      • Instruction Fuzzy Hash: 1D214A75901A26BBCF239B64DC44AAFBBBCEF09B50F114011F915A7150D770AA8587D0

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1251 3980c9-3980ed call 396ec3 1254 3980f9-398115 call 39704c 1251->1254 1255 3980ef call 397ee6 1251->1255 1260 398225-39822b 1254->1260 1261 39811b-398121 1254->1261 1258 3980f4 1255->1258 1258->1260 1262 39822d-398233 1260->1262 1263 39826c-398273 1260->1263 1261->1260 1264 398127-39812a 1261->1264 1262->1263 1265 398235-39823f call 39675c 1262->1265 1264->1260 1266 398130-398167 call 392544 RegOpenKeyExA 1264->1266 1269 398244-39824b 1265->1269 1272 39816d-39818b RegQueryValueExA 1266->1272 1273 398216-398222 call 39ee2a 1266->1273 1269->1263 1271 39824d-398269 call 3924c2 call 39ec2e 1269->1271 1271->1263 1276 39818d-398191 1272->1276 1277 3981f7-3981fe 1272->1277 1273->1260 1276->1277 1282 398193-398196 1276->1282 1280 39820d-398210 RegCloseKey 1277->1280 1281 398200-398206 call 39ec2e 1277->1281 1280->1273 1290 39820c 1281->1290 1282->1277 1285 398198-3981a8 call 39ebcc 1282->1285 1285->1280 1291 3981aa-3981c2 RegQueryValueExA 1285->1291 1290->1280 1291->1277 1292 3981c4-3981ca 1291->1292 1293 3981cd-3981d2 1292->1293 1293->1293 1294 3981d4-3981e5 call 39ebcc 1293->1294 1294->1280 1297 3981e7-3981f5 call 39ef00 1294->1297 1297->1290
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 0039815F
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0039A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00398187
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0039A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 003981BE
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00398210
                                                                                                                        • Part of subcall function 0039675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0039677E
                                                                                                                        • Part of subcall function 0039675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0039679A
                                                                                                                        • Part of subcall function 0039675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 003967B0
                                                                                                                        • Part of subcall function 0039675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 003967BF
                                                                                                                        • Part of subcall function 0039675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 003967D3
                                                                                                                        • Part of subcall function 0039675C: ReadFile.KERNELBASE(000000FF,?,00000040,00398244,00000000,?,76230F10,00000000), ref: 00396807
                                                                                                                        • Part of subcall function 0039675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0039681F
                                                                                                                        • Part of subcall function 0039675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0039683E
                                                                                                                        • Part of subcall function 0039675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0039685C
                                                                                                                        • Part of subcall function 0039EC2E: GetProcessHeap.KERNEL32(00000000,'9,00000000,0039EA27,00000000), ref: 0039EC41
                                                                                                                        • Part of subcall function 0039EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0039EC48
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                                      • String ID: C:\Windows\SysWOW64\yuzqifwu\bndqedvz.exe
                                                                                                                      • API String ID: 124786226-729601064
                                                                                                                      • Opcode ID: 036ae5541718df06387278a41624d0efe079ddba08c7c1d510e7562570d299be
                                                                                                                      • Instruction ID: 908578d0d88c0e3c40512b8727b15939c74b938fb7f20b09ac8138acfd75fa70
                                                                                                                      • Opcode Fuzzy Hash: 036ae5541718df06387278a41624d0efe079ddba08c7c1d510e7562570d299be
                                                                                                                      • Instruction Fuzzy Hash: 2441AEB2901209BFEF17EFA4DD81DBFB77CEB46300F05086AF541A6111EA309E448B20

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1300 391ac3-391adc LoadLibraryA 1301 391b6b-391b70 1300->1301 1302 391ae2-391af3 GetProcAddress 1300->1302 1303 391b6a 1302->1303 1304 391af5-391b01 1302->1304 1303->1301 1305 391b1c-391b27 GetAdaptersAddresses 1304->1305 1306 391b29-391b2b 1305->1306 1307 391b03-391b09 call 39ebed 1305->1307 1308 391b5b-391b5e 1306->1308 1309 391b2d-391b32 1306->1309 1314 391b0e-391b12 1307->1314 1311 391b69 1308->1311 1313 391b60-391b68 call 39ec2e 1308->1313 1309->1311 1312 391b34-391b3b 1309->1312 1311->1303 1316 391b3d-391b52 1312->1316 1317 391b54-391b59 1312->1317 1313->1311 1314->1306 1315 391b14-391b1b 1314->1315 1315->1305 1316->1316 1316->1317 1317->1308 1317->1312
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00391AD4
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00391AE9
                                                                                                                      • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00391B20
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                                      • API String ID: 3646706440-1087626847
                                                                                                                      • Opcode ID: 0796e5d02a647c7d653526e965cebe074eab5af946bc8df3ea8e3bfb71815f2f
                                                                                                                      • Instruction ID: 71d0899245eeefcbefc8c0e38596ff3a5f51e62d7aad15032f721476b142d91d
                                                                                                                      • Opcode Fuzzy Hash: 0796e5d02a647c7d653526e965cebe074eab5af946bc8df3ea8e3bfb71815f2f
                                                                                                                      • Instruction Fuzzy Hash: 5011D371E02228AFCF17DBA4CC858EEFBBBEB44B50B154056E009B7150E7304E40CB90

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1320 39e3ca-39e3ee RegOpenKeyExA 1321 39e528-39e52d 1320->1321 1322 39e3f4-39e3fb 1320->1322 1323 39e3fe-39e403 1322->1323 1323->1323 1324 39e405-39e40f 1323->1324 1325 39e411-39e413 1324->1325 1326 39e414-39e452 call 39ee08 call 39f1ed RegQueryValueExA 1324->1326 1325->1326 1331 39e458-39e486 call 39f1ed RegQueryValueExA 1326->1331 1332 39e51d-39e527 RegCloseKey 1326->1332 1335 39e488-39e48a 1331->1335 1332->1321 1335->1332 1336 39e490-39e4a1 call 39db2e 1335->1336 1336->1332 1339 39e4a3-39e4a6 1336->1339 1340 39e4a9-39e4d3 call 39f1ed RegQueryValueExA 1339->1340 1343 39e4e8-39e4ea 1340->1343 1344 39e4d5-39e4da 1340->1344 1343->1332 1346 39e4ec-39e516 call 392544 call 39e332 1343->1346 1344->1343 1345 39e4dc-39e4e6 1344->1345 1345->1340 1345->1343 1346->1332
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000001,0039E5F2,00000000,00020119,0039E5F2,003A22F8), ref: 0039E3E6
                                                                                                                      • RegQueryValueExA.ADVAPI32(0039E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0039E44E
                                                                                                                      • RegQueryValueExA.ADVAPI32(0039E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0039E482
                                                                                                                      • RegQueryValueExA.ADVAPI32(0039E5F2,?,00000000,?,80000001,?), ref: 0039E4CF
                                                                                                                      • RegCloseKey.ADVAPI32(0039E5F2,?,?,?,?,000000C8,000000E4), ref: 0039E520
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: QueryValue$CloseOpen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1586453840-0
                                                                                                                      • Opcode ID: 7435f3549f851e63aac5bf37db24a1b520e8b78647280b484ab90a2f3566da6a
                                                                                                                      • Instruction ID: eabe1a50d7b711e8ec9510db720851b9cccec877213b5f7f508ee6248a3399ad
                                                                                                                      • Opcode Fuzzy Hash: 7435f3549f851e63aac5bf37db24a1b520e8b78647280b484ab90a2f3566da6a
                                                                                                                      • Instruction Fuzzy Hash: 844104B2D00219BFEF12DF95DC85DEEBBBDEB09344F154466FA10A6160E3319A158BA0

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1351 39f26d-39f303 setsockopt * 5
                                                                                                                      APIs
                                                                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0039F2A0
                                                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0039F2C0
                                                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0039F2DD
                                                                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0039F2EC
                                                                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0039F2FD
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: setsockopt
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3981526788-0
                                                                                                                      • Opcode ID: f2f1a642763f4a40b4b32a0f98e02560eddc539df2ea09ec6368d46f2638ebb4
                                                                                                                      • Instruction ID: b20f2724a2e5d8385bf2c1205bc24f87ffc7d84974957f809bd248f4d35c5228
                                                                                                                      • Opcode Fuzzy Hash: f2f1a642763f4a40b4b32a0f98e02560eddc539df2ea09ec6368d46f2638ebb4
                                                                                                                      • Instruction Fuzzy Hash: 72110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1352 391bdf-391c04 call 391ac3 1354 391c09-391c0b 1352->1354 1355 391c5a-391c5e 1354->1355 1356 391c0d-391c1d GetComputerNameA 1354->1356 1357 391c1f-391c24 1356->1357 1358 391c45-391c57 GetVolumeInformationA 1356->1358 1357->1358 1359 391c26-391c3b 1357->1359 1358->1355 1359->1359 1360 391c3d-391c3f 1359->1360 1360->1358 1361 391c41-391c43 1360->1361 1361->1355
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00391AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00391AD4
                                                                                                                        • Part of subcall function 00391AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00391AE9
                                                                                                                        • Part of subcall function 00391AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00391B20
                                                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00391C15
                                                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00391C51
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                                      • String ID: hi_id$localcfg
                                                                                                                      • API String ID: 2794401326-2393279970
                                                                                                                      • Opcode ID: 2410e95c084e316a2cd3a23cf42844dda0bb76c4634762553b4e6fdefacd99ef
                                                                                                                      • Instruction ID: cdae7bc3b8894bfbaac312950efb0c0ea43c9294c3369ab9cb62f36b2a37b92e
                                                                                                                      • Opcode Fuzzy Hash: 2410e95c084e316a2cd3a23cf42844dda0bb76c4634762553b4e6fdefacd99ef
                                                                                                                      • Instruction Fuzzy Hash: C2018072A44119BBEF11DAE8C8C59EFBABCAB44745F110475E602F2140D2309E448AA0
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00391AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00391AD4
                                                                                                                        • Part of subcall function 00391AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00391AE9
                                                                                                                        • Part of subcall function 00391AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00391B20
                                                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00391BA3
                                                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,00391EFD,00000000,00000000,00000000,00000000), ref: 00391BB8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 2794401326-1857712256
                                                                                                                      • Opcode ID: 53e10c3bc91e3d29c45f76faf78191d5d7cac790f3131a7d66aca38400b9d62b
                                                                                                                      • Instruction ID: 4ac34213a37106e59dcf63dfe8841c94e0f4bab8f70912aed9a0bb9e855613e9
                                                                                                                      • Opcode Fuzzy Hash: 53e10c3bc91e3d29c45f76faf78191d5d7cac790f3131a7d66aca38400b9d62b
                                                                                                                      • Instruction Fuzzy Hash: 0F014BB7E00108BFEB029BE9CC819EFFABDAB48750F150162A601F7151D670AE084AA0
                                                                                                                      APIs
                                                                                                                      • inet_addr.WS2_32(00000002), ref: 00392693
                                                                                                                      • gethostbyname.WS2_32(00000002), ref: 0039269F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: gethostbynameinet_addr
                                                                                                                      • String ID: time_cfg
                                                                                                                      • API String ID: 1594361348-2401304539
                                                                                                                      • Opcode ID: 94d133a06be48e09fff65c8d252aa1710a92785805a50a8e743a74c109ec2df1
                                                                                                                      • Instruction ID: 1d4a4889772e9bd322e4fdb618ac2d7aa695abf1316d81690d6b534d146ce411
                                                                                                                      • Opcode Fuzzy Hash: 94d133a06be48e09fff65c8d252aa1710a92785805a50a8e743a74c109ec2df1
                                                                                                                      • Instruction Fuzzy Hash: 73E0C230204911AFCF128B28F848BC677E8EF16330F024580F440C31A0C770DC808780
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0039EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0039EC0A,00000000,80000001,?,0039DB55,7FFF0001), ref: 0039EBAD
                                                                                                                        • Part of subcall function 0039EBA0: HeapSize.KERNEL32(00000000,?,0039DB55,7FFF0001), ref: 0039EBB4
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,'9,00000000,0039EA27,00000000), ref: 0039EC41
                                                                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 0039EC48
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$FreeSize
                                                                                                                      • String ID: '9
                                                                                                                      • API String ID: 1305341483-4222858423
                                                                                                                      • Opcode ID: b0026bcd81dcaf95a58d4fe8afbe1f32bc6d9237d2dd4aff047ebab4f0cf8a9d
                                                                                                                      • Instruction ID: 09c10fb0fefd5cf6bfefe08ae52ef12400df6e2809f3d5744ed76c1b129e1402
                                                                                                                      • Opcode Fuzzy Hash: b0026bcd81dcaf95a58d4fe8afbe1f32bc6d9237d2dd4aff047ebab4f0cf8a9d
                                                                                                                      • Instruction Fuzzy Hash: 0AC01232506230ABD9576750BC0DFDB6B5C9F47711F0A4409F4056A0508760584146E1
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0039DD05: GetTickCount.KERNEL32 ref: 0039DD0F
                                                                                                                        • Part of subcall function 0039DD05: InterlockedExchange.KERNEL32(003A36B4,00000001), ref: 0039DD44
                                                                                                                        • Part of subcall function 0039DD05: GetCurrentThreadId.KERNEL32 ref: 0039DD53
                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,76230F10,?,00000000,?,0039A445), ref: 0039E558
                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,76230F10,?,00000000,?,0039A445), ref: 0039E583
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,76230F10,?,00000000,?,0039A445), ref: 0039E5B2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3683885500-0
                                                                                                                      • Opcode ID: 117443ab15cd31bc622aca69d42ae725da09811f6af24d2ce43fddf44ac8497d
                                                                                                                      • Instruction ID: 611b825c92b4bee6339e4331b4d8e96eab9be0c94f043367570e21568aacc30e
                                                                                                                      • Opcode Fuzzy Hash: 117443ab15cd31bc622aca69d42ae725da09811f6af24d2ce43fddf44ac8497d
                                                                                                                      • Instruction Fuzzy Hash: 4F2138B2A403003AEA27BB229C4BFAB7A1CDF57750F010514FE09A91E3F951D90082F1
                                                                                                                      APIs
                                                                                                                      • Sleep.KERNELBASE(000003E8), ref: 003988A5
                                                                                                                        • Part of subcall function 0039F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0039E342,00000000,75B4EA50,80000001,00000000,0039E513,?,00000000,00000000,?,000000E4), ref: 0039F089
                                                                                                                        • Part of subcall function 0039F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0039E342,00000000,75B4EA50,80000001,00000000,0039E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0039F093
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$FileSystem$Sleep
                                                                                                                      • String ID: localcfg$rresolv
                                                                                                                      • API String ID: 1561729337-486471987
                                                                                                                      • Opcode ID: ac61ab6d077d5f790795f0f783f86d0993366db8aede86ab261ef3f030053a89
                                                                                                                      • Instruction ID: f009147a571bb909db8b2c52d721c4fce94bb2d7511de2e19d65510a8a907ef2
                                                                                                                      • Opcode Fuzzy Hash: ac61ab6d077d5f790795f0f783f86d0993366db8aede86ab261ef3f030053a89
                                                                                                                      • Instruction Fuzzy Hash: F221A53164C3016EFB17FBA96C87BAB3AACDB47710F910419FA04DA1C2EEA1954081B2
                                                                                                                      APIs
                                                                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,003A22F8,003942B6,00000000,00000001,003A22F8,00000000,?,003998FD), ref: 00394021
                                                                                                                      • GetLastError.KERNEL32(?,003998FD,00000001,00000100,003A22F8,0039A3C7), ref: 0039402C
                                                                                                                      • Sleep.KERNEL32(000001F4,?,003998FD,00000001,00000100,003A22F8,0039A3C7), ref: 00394046
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateErrorFileLastSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 408151869-0
                                                                                                                      • Opcode ID: 5aaa21cd1099ab44975ee8a266d0a9f463b94ed463bf4812d24565340f88b18d
                                                                                                                      • Instruction ID: ad7115165144fb9f56985d0578ae7450f15bc5ea44c54c537e5c78d79880edd0
                                                                                                                      • Opcode Fuzzy Hash: 5aaa21cd1099ab44975ee8a266d0a9f463b94ed463bf4812d24565340f88b18d
                                                                                                                      • Instruction Fuzzy Hash: B9F0A7712441016ADF374B25AC49F1AB365DB82720F264B24F3B5E21E0C63048879B14
                                                                                                                      APIs
                                                                                                                      • GetEnvironmentVariableA.KERNEL32(0039DC19,?,00000104), ref: 0039DB7F
                                                                                                                      • lstrcpyA.KERNEL32(?,003A28F8), ref: 0039DBA4
                                                                                                                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 0039DBC2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2536392590-0
                                                                                                                      • Opcode ID: e099533f5ac410c8c6535dd8b20752d4ca81ff3d6d28a9c35207bd0087e405a6
                                                                                                                      • Instruction ID: a6b8f5f71aacc377c1d588e6e93f56e06324f214651b29f0cab8fb9b16f58c32
                                                                                                                      • Opcode Fuzzy Hash: e099533f5ac410c8c6535dd8b20752d4ca81ff3d6d28a9c35207bd0087e405a6
                                                                                                                      • Instruction Fuzzy Hash: 08F0B470100209ABEF12DF64DD4AFD93B6DBB10308F114194BB55A40D0D7F2D545CF10
                                                                                                                      APIs
                                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0039EC5E
                                                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0039EC72
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039EC78
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1209300637-0
                                                                                                                      • Opcode ID: 1d3b788d7906f5b907045f2ee2abd71eba2a833b8e6faf5ceef32d15f1df1c85
                                                                                                                      • Instruction ID: e0d71cccb4339f4783a691ad217988f04f7284db8ac937eee0224e89b50c5660
                                                                                                                      • Opcode Fuzzy Hash: 1d3b788d7906f5b907045f2ee2abd71eba2a833b8e6faf5ceef32d15f1df1c85
                                                                                                                      • Instruction Fuzzy Hash: E7E0BFF5810104BFE706EBB0DC4EEBB77BCFB09314F500650B911D60A0DA709A048B60
                                                                                                                      APIs
                                                                                                                      • gethostname.WS2_32(?,00000080), ref: 003930D8
                                                                                                                      • gethostbyname.WS2_32(?), ref: 003930E2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: gethostbynamegethostname
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3961807697-0
                                                                                                                      • Opcode ID: 5189ee1e774955fbfe51da1ecadae880cf5bdee8c6f89f64c2dcf85ee0d9bbf5
                                                                                                                      • Instruction ID: 7c7182f246f30e9bd119bb52652cb6a993325272dc95cdec31cdcb0cdb4a75f6
                                                                                                                      • Opcode Fuzzy Hash: 5189ee1e774955fbfe51da1ecadae880cf5bdee8c6f89f64c2dcf85ee0d9bbf5
                                                                                                                      • Instruction Fuzzy Hash: 1CE09272900219ABCF00EBA8EC89FCA77ECFF05308F080461F946E7250EA34E90487A0
                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,0039DB55,7FFF0001), ref: 0039EC13
                                                                                                                      • RtlReAllocateHeap.NTDLL(00000000,?,0039DB55,7FFF0001), ref: 0039EC1A
                                                                                                                        • Part of subcall function 0039EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0039EBFE,7FFF0001,?,0039DB55,7FFF0001), ref: 0039EBD3
                                                                                                                        • Part of subcall function 0039EBCC: RtlAllocateHeap.NTDLL(00000000,?,0039DB55,7FFF0001), ref: 0039EBDA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$AllocateProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1357844191-0
                                                                                                                      • Opcode ID: 86140f0240d94e56d88fab2aff432197ed77de3de41b377fee86e8d0cb0a98b3
                                                                                                                      • Instruction ID: 4dfad51891a1e5b0344bfc2aa011fb4e7c178e6c93b762167fc4efbc0129bb9f
                                                                                                                      • Opcode Fuzzy Hash: 86140f0240d94e56d88fab2aff432197ed77de3de41b377fee86e8d0cb0a98b3
                                                                                                                      • Instruction Fuzzy Hash: 94E01A36108218BADF066B94EC09AE93B59EB05362F108015FA0D89561CB328990DA94
                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0039EBFE,7FFF0001,?,0039DB55,7FFF0001), ref: 0039EBD3
                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,0039DB55,7FFF0001), ref: 0039EBDA
                                                                                                                        • Part of subcall function 0039EB74: GetProcessHeap.KERNEL32(00000000,00000000,0039EC28,00000000,?,0039DB55,7FFF0001), ref: 0039EB81
                                                                                                                        • Part of subcall function 0039EB74: HeapSize.KERNEL32(00000000,?,0039DB55,7FFF0001), ref: 0039EB88
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocateSize
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2559512979-0
                                                                                                                      • Opcode ID: a4cc7078b9de69fcafd2990802b6d64414b15f4bb0b6c8bab921917e8c470206
                                                                                                                      • Instruction ID: 4650248986d8a3b7784eb76c67c785e22fb3c6fa98dd95aa9699d00b0f566cf5
                                                                                                                      • Opcode Fuzzy Hash: a4cc7078b9de69fcafd2990802b6d64414b15f4bb0b6c8bab921917e8c470206
                                                                                                                      • Instruction Fuzzy Hash: EEC08C3A2082206BCA0727A8BC0CEDE3E9CEF0B3A2F044004F609C6260CB304C4087A2
                                                                                                                      APIs
                                                                                                                      • recv.WS2_32(000000C8,?,00000000,0039CA44), ref: 0039F476
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: recv
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1507349165-0
                                                                                                                      • Opcode ID: 906b5caf40ec68007fa3c723fed68fdd71d14e790398368db2dcefbd18208779
                                                                                                                      • Instruction ID: ddc9f3ae5658c77c99fe01adf4072e97abe22fce828238513068b24213cd6f24
                                                                                                                      • Opcode Fuzzy Hash: 906b5caf40ec68007fa3c723fed68fdd71d14e790398368db2dcefbd18208779
                                                                                                                      • Instruction Fuzzy Hash: E6F01C7220155AAF9F129E9EDC84CAB3BAEFB89350B050522FA14D7110D631E8218BA0
                                                                                                                      APIs
                                                                                                                      • closesocket.WS2_32(00000000), ref: 00391992
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: closesocket
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2781271927-0
                                                                                                                      • Opcode ID: 69de287d24503e2767df8473c37ff68d4ee906953f1e537266d34ed652205260
                                                                                                                      • Instruction ID: 64d77d0221d88c5444bda99a78d373cd9a3b5ac93a91cb4f2ca2cdf59b78c861
                                                                                                                      • Opcode Fuzzy Hash: 69de287d24503e2767df8473c37ff68d4ee906953f1e537266d34ed652205260
                                                                                                                      • Instruction Fuzzy Hash: 2DD012261486326A96162759BC055BFAB9CDF45762B11842AFC48D4150D735CC4183D6
                                                                                                                      APIs
                                                                                                                      • lstrcmpiA.KERNEL32(80000011,00000000), ref: 0039DDB5
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcmpi
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1586166983-0
                                                                                                                      • Opcode ID: 03b9c3440e783d47a30d14cf77a270142c92602d90fc5c696ff158ac8f515302
                                                                                                                      • Instruction ID: 2bff3854164ee628113de829572af09e1b2f45f11f9be7018b74a78ab2a7ef36
                                                                                                                      • Opcode Fuzzy Hash: 03b9c3440e783d47a30d14cf77a270142c92602d90fc5c696ff158ac8f515302
                                                                                                                      • Instruction Fuzzy Hash: 6AF08C35200242CFCF22CE389885656B3E8EF86365F16483EE155D2150D730DC45CB11
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00399816,EntryPoint), ref: 0039638F
                                                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00399816,EntryPoint), ref: 003963A9
                                                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 003963CA
                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 003963EB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1965334864-0
                                                                                                                      • Opcode ID: 4a9898dc84e88ad05d03d714ce34c7984193698952c504c756ec13ab3940ea5b
                                                                                                                      • Instruction ID: 8576269374da29543f4ee86fc2de00abede24519a29e40afe39243fb614159e2
                                                                                                                      • Opcode Fuzzy Hash: 4a9898dc84e88ad05d03d714ce34c7984193698952c504c756ec13ab3940ea5b
                                                                                                                      • Instruction Fuzzy Hash: 341133B5601219BFEF169F65DC4AF9B3BACEB057A5F114024F905E7290D671DD008AA0
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00391839,00399646), ref: 00391012
                                                                                                                      • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 003910C2
                                                                                                                      • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 003910E1
                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00391101
                                                                                                                      • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00391121
                                                                                                                      • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00391140
                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00391160
                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00391180
                                                                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0039119F
                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtClose), ref: 003911BF
                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 003911DF
                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 003911FE
                                                                                                                      • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0039121A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                                      • API String ID: 2238633743-3228201535
                                                                                                                      • Opcode ID: 89f4a95ab83c99175b6e52d2753399864504ccb960f2d745df883de420367a86
                                                                                                                      • Instruction ID: a913f291cb2e508b034bc39aadfc319de521b775e8f699cffa3e63c54363e89a
                                                                                                                      • Opcode Fuzzy Hash: 89f4a95ab83c99175b6e52d2753399864504ccb960f2d745df883de420367a86
                                                                                                                      • Instruction Fuzzy Hash: B5511D72646603AADB579B6CAC4479376BCA74A364F15031EF520E22E0D7F0DAC2CB52
                                                                                                                      APIs
                                                                                                                      • GetLocalTime.KERNEL32(?), ref: 0039B2B3
                                                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0039B2C2
                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0039B2D0
                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0039B2E1
                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0039B31A
                                                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0039B329
                                                                                                                      • wsprintfA.USER32 ref: 0039B3B7
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                                      • API String ID: 766114626-2976066047
                                                                                                                      • Opcode ID: ef26b06fe1df74a57b9cda360add4481d18043b9d7e098ac30d5083fa96b403a
                                                                                                                      • Instruction ID: ccd1c1e4b2b2dc003b87c2b712414c14596daddaac246302871c07895c780fcb
                                                                                                                      • Opcode Fuzzy Hash: ef26b06fe1df74a57b9cda360add4481d18043b9d7e098ac30d5083fa96b403a
                                                                                                                      • Instruction Fuzzy Hash: E8514CB9D0021CAACF1ADFD5D9858EEFBB9FF4A314F104129E601BA150D3745A89CB90
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                                      • API String ID: 2400214276-165278494
                                                                                                                      • Opcode ID: 52f2ccd804e68e8425e08412a5c673e143dd1942874b7e28671cfe25eee6def9
                                                                                                                      • Instruction ID: 317afc773ae786f42a77b0f23415bb57d670692dcd58d69b5768755d77e3a1ac
                                                                                                                      • Opcode Fuzzy Hash: 52f2ccd804e68e8425e08412a5c673e143dd1942874b7e28671cfe25eee6def9
                                                                                                                      • Instruction Fuzzy Hash: 33615C72A40208AFDF669FB4DC45FEA77E9FF09300F148069F969D2161EA71A950CF50
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                                                                      • String ID: .$ $AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                                      • API String ID: 3650048968-4264063882
                                                                                                                      • Opcode ID: b704bfc47909c1c7276f258a8a9eec5d80cfbbf8e7c01d6b69b487d5e45c9983
                                                                                                                      • Instruction ID: e75733263c511b3c017712ad077d452d59a0acc479e7d6520ce8b817aea20d45
                                                                                                                      • Opcode Fuzzy Hash: b704bfc47909c1c7276f258a8a9eec5d80cfbbf8e7c01d6b69b487d5e45c9983
                                                                                                                      • Instruction Fuzzy Hash: F8A13772A48719BBDF278B58DC86FAE7B6DEB01304F250226F901A6090DB719D4887D3
                                                                                                                      APIs
                                                                                                                      • ShellExecuteExW.SHELL32(?), ref: 0039139A
                                                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00391571
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ExecuteShelllstrlen
                                                                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                                                      • API String ID: 1628651668-1839596206
                                                                                                                      • Opcode ID: 295c44f51fb873c190d744424e8b1855948bc78846fa20155d44cb3fe7aeba07
                                                                                                                      • Instruction ID: f35671905ec6a6244660015537c8bd67096fbb3519b82db1ae5c3dae232fc240
                                                                                                                      • Opcode Fuzzy Hash: 295c44f51fb873c190d744424e8b1855948bc78846fa20155d44cb3fe7aeba07
                                                                                                                      • Instruction Fuzzy Hash: 53F1BFB55083429FDB22DF64C888BABB7E8FB8A300F01491DF596E7290D7B4D944CB52
                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 00392A83
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 00392A86
                                                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00392AA0
                                                                                                                      • htons.WS2_32(00000000), ref: 00392ADB
                                                                                                                      • select.WS2_32 ref: 00392B28
                                                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00392B4A
                                                                                                                      • htons.WS2_32(?), ref: 00392B71
                                                                                                                      • htons.WS2_32(?), ref: 00392B8C
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00392BFB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1639031587-0
                                                                                                                      • Opcode ID: d2900d95a1665fd50756176988675d4a805423431ac50d2b161a033eccd8a81d
                                                                                                                      • Instruction ID: 45c52e471c2b62316a538b51f68494e0dbb6525416635a7d6d89c41137266015
                                                                                                                      • Opcode Fuzzy Hash: d2900d95a1665fd50756176988675d4a805423431ac50d2b161a033eccd8a81d
                                                                                                                      • Instruction Fuzzy Hash: E461B0B5904B05ABCB269F65DC48B6FBBECFB89751F010809F94997250D7B0EC448FA2
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 003970C2
                                                                                                                      • RegEnumValueA.ADVAPI32(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 0039719E
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10,?,76230F10,00000000), ref: 003971B2
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00397208
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00397291
                                                                                                                      • ___ascii_stricmp.LIBCMT ref: 003972C2
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 003972D0
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00397314
                                                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0039738D
                                                                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 003973D8
                                                                                                                        • Part of subcall function 0039F1A5: lstrlenA.KERNEL32(000000C8,000000E4,003A22F8,000000C8,00397150,?), ref: 0039F1AD
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                                      • String ID: $"
                                                                                                                      • API String ID: 4293430545-3817095088
                                                                                                                      • Opcode ID: e32fa03e2775b2750429490655e3e7ca83234ccdbc824c43553b17b16d02bd7e
                                                                                                                      • Instruction ID: 718b09839fd506cc28efe25a3de0974cb12f5245e51998efd575d6238f9f8da3
                                                                                                                      • Opcode Fuzzy Hash: e32fa03e2775b2750429490655e3e7ca83234ccdbc824c43553b17b16d02bd7e
                                                                                                                      • Instruction Fuzzy Hash: 71B18D7291820AAEEF16EFA4DC45AEF77B8EF05301F110466F501E61D0EB719A84CBA4
                                                                                                                      APIs
                                                                                                                      • GetLocalTime.KERNEL32(?), ref: 0039AD98
                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0039ADA6
                                                                                                                        • Part of subcall function 0039AD08: gethostname.WS2_32(?,00000080), ref: 0039AD1C
                                                                                                                        • Part of subcall function 0039AD08: lstrlenA.KERNEL32(?), ref: 0039AD60
                                                                                                                        • Part of subcall function 0039AD08: lstrlenA.KERNEL32(?), ref: 0039AD69
                                                                                                                        • Part of subcall function 0039AD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 0039AD7F
                                                                                                                        • Part of subcall function 003930B5: gethostname.WS2_32(?,00000080), ref: 003930D8
                                                                                                                        • Part of subcall function 003930B5: gethostbyname.WS2_32(?), ref: 003930E2
                                                                                                                      • wsprintfA.USER32 ref: 0039AEA5
                                                                                                                        • Part of subcall function 0039A7A3: inet_ntoa.WS2_32(00000000), ref: 0039A7A9
                                                                                                                      • wsprintfA.USER32 ref: 0039AE4F
                                                                                                                      • wsprintfA.USER32 ref: 0039AE5E
                                                                                                                        • Part of subcall function 0039EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 0039EF92
                                                                                                                        • Part of subcall function 0039EF7C: lstrlenA.KERNEL32(?), ref: 0039EF99
                                                                                                                        • Part of subcall function 0039EF7C: lstrlenA.KERNEL32(00000000), ref: 0039EFA0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                                      • API String ID: 3631595830-1816598006
                                                                                                                      • Opcode ID: bd0fdf7eaadc37053b38a2f8d37419b57c356745fd362a278bc2fc2869a74753
                                                                                                                      • Instruction ID: e81e066b41d2734da51544ba02bbf19cd5e77cae22588b985f7cec262e395ae4
                                                                                                                      • Opcode Fuzzy Hash: bd0fdf7eaadc37053b38a2f8d37419b57c356745fd362a278bc2fc2869a74753
                                                                                                                      • Instruction Fuzzy Hash: 984123B290020CAFDF26EFA4DC46EEF3BADFF09300F144516F91596151E671D9548B61
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,00392F0F,?,003920FF,003A2000), ref: 00392E01
                                                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00392F0F,?,003920FF,003A2000), ref: 00392E11
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00392E2E
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00392F0F,?,003920FF,003A2000), ref: 00392E4C
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00392F0F,?,003920FF,003A2000), ref: 00392E4F
                                                                                                                      • htons.WS2_32(00000035), ref: 00392E88
                                                                                                                      • inet_addr.WS2_32(?), ref: 00392E93
                                                                                                                      • gethostbyname.WS2_32(?), ref: 00392EA6
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00392F0F,?,003920FF,003A2000), ref: 00392EE3
                                                                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00392F0F,?,003920FF,003A2000), ref: 00392EE6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                                      • API String ID: 929413710-2099955842
                                                                                                                      • Opcode ID: ba73817dfbd8b2607956866361e3aeb1af2bd4d93c97058437b4cf448a83c2c2
                                                                                                                      • Instruction ID: 9c0afbb56198ed0911d7f07bf5b9975a129e148f6a9c0dade49a821616eacc81
                                                                                                                      • Opcode Fuzzy Hash: ba73817dfbd8b2607956866361e3aeb1af2bd4d93c97058437b4cf448a83c2c2
                                                                                                                      • Instruction Fuzzy Hash: 9031A436E00A0ABBDF179BB89C88AAF777CAF05361F154115F914E7290D730DD418B90
                                                                                                                      APIs
                                                                                                                      • GetVersionExA.KERNEL32(?,?,00399DD7,?,00000022,?,?,00000000,00000001), ref: 00399340
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00399DD7,?,00000022,?,?,00000000,00000001), ref: 0039936E
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00399DD7,?,00000022,?,?,00000000,00000001), ref: 00399375
                                                                                                                      • wsprintfA.USER32 ref: 003993CE
                                                                                                                      • wsprintfA.USER32 ref: 0039940C
                                                                                                                      • wsprintfA.USER32 ref: 0039948D
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 003994F1
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00399526
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00399571
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                      • String ID: runas
                                                                                                                      • API String ID: 3696105349-4000483414
                                                                                                                      • Opcode ID: 809ba888ecf506f134154b44566e6ddb805033e94061deb27c7b7a21f7bb1de7
                                                                                                                      • Instruction ID: 73959fdd84489d9183b3f0a85ccac66c451061c6bb58c1cbf737184ffb1fae55
                                                                                                                      • Opcode Fuzzy Hash: 809ba888ecf506f134154b44566e6ddb805033e94061deb27c7b7a21f7bb1de7
                                                                                                                      • Instruction Fuzzy Hash: 8CA16CB2940208AFEF27DFA5CC85FDF3BACEB46741F10002AFA0596152E77599448FA1
                                                                                                                      APIs
                                                                                                                      • wsprintfA.USER32 ref: 0039B467
                                                                                                                        • Part of subcall function 0039EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 0039EF92
                                                                                                                        • Part of subcall function 0039EF7C: lstrlenA.KERNEL32(?), ref: 0039EF99
                                                                                                                        • Part of subcall function 0039EF7C: lstrlenA.KERNEL32(00000000), ref: 0039EFA0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$wsprintf
                                                                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                                      • API String ID: 1220175532-2340906255
                                                                                                                      • Opcode ID: 6405d151afba87304ccb0b3dd5b18393a2e345c4779a8043e856d953264019ab
                                                                                                                      • Instruction ID: 1119ad2429db1d3afc29b65f0d02e7ed8704e0722b09634a15dd2765b6aec668
                                                                                                                      • Opcode Fuzzy Hash: 6405d151afba87304ccb0b3dd5b18393a2e345c4779a8043e856d953264019ab
                                                                                                                      • Instruction Fuzzy Hash: 2D416FB25401197EDF02ABA4DCC2CFF7B6CEF4A758B140515F905AA042DB71AE1497A1
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 00392078
                                                                                                                      • GetTickCount.KERNEL32 ref: 003920D4
                                                                                                                      • GetTickCount.KERNEL32 ref: 003920DB
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039212B
                                                                                                                      • GetTickCount.KERNEL32 ref: 00392132
                                                                                                                      • GetTickCount.KERNEL32 ref: 00392142
                                                                                                                        • Part of subcall function 0039F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0039E342,00000000,75B4EA50,80000001,00000000,0039E513,?,00000000,00000000,?,000000E4), ref: 0039F089
                                                                                                                        • Part of subcall function 0039F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0039E342,00000000,75B4EA50,80000001,00000000,0039E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0039F093
                                                                                                                        • Part of subcall function 0039E854: lstrcpyA.KERNEL32(00000001,?,?,0039D8DF,00000001,localcfg,except_info,00100000,003A0264), ref: 0039E88B
                                                                                                                        • Part of subcall function 0039E854: lstrlenA.KERNEL32(00000001,?,0039D8DF,00000001,localcfg,except_info,00100000,003A0264), ref: 0039E899
                                                                                                                        • Part of subcall function 00391C5F: wsprintfA.USER32 ref: 00391CE1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                                      • API String ID: 3976553417-1522128867
                                                                                                                      • Opcode ID: 224cd47c64f0d53906bec4af5c7266510c33089b9c755b95e05ef90b484081bf
                                                                                                                      • Instruction ID: 94256cdbf469250d92d17558e986483e8dc1bf64a3687810d4b5469d3b11b7cc
                                                                                                                      • Opcode Fuzzy Hash: 224cd47c64f0d53906bec4af5c7266510c33089b9c755b95e05ef90b484081bf
                                                                                                                      • Instruction Fuzzy Hash: A451D471A04B466EEF2BEF38ED46B573BDCEB06314F110829E601CA6A1DBB49854CB51
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0039A4C7: GetTickCount.KERNEL32 ref: 0039A4D1
                                                                                                                        • Part of subcall function 0039A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0039A4FA
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039C31F
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039C32B
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039C363
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039C378
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039C44D
                                                                                                                      • InterlockedIncrement.KERNEL32(0039C4E4), ref: 0039C4AE
                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,0039B535,00000000,?,0039C4E0), ref: 0039C4C1
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,0039C4E0,003A3588,00398810), ref: 0039C4CC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 1553760989-1857712256
                                                                                                                      • Opcode ID: fdfbfa6021e5f3a8e517bfef598ab7c5c72150713fd1e5bcdf40ade8ad8c746a
                                                                                                                      • Instruction ID: a56844ee0311b380e92e4f2b31cfc68909e425111f8008178aed463b535d79da
                                                                                                                      • Opcode Fuzzy Hash: fdfbfa6021e5f3a8e517bfef598ab7c5c72150713fd1e5bcdf40ade8ad8c746a
                                                                                                                      • Instruction Fuzzy Hash: F9516FB5610B418FDB269F6AC5D452AFBE9FB48300B51A93ED18BC7A90D774F844CB10
                                                                                                                      APIs
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0039BE4F
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0039BE5B
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0039BE67
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0039BF6A
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0039BF7F
                                                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0039BF94
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcmpi
                                                                                                                      • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                                      • API String ID: 1586166983-1625972887
                                                                                                                      • Opcode ID: d4d8fbafd7ae39ae57d174e7d934b6ee5e59e27ddfd1086e307381c975120c3b
                                                                                                                      • Instruction ID: 0706a4573c90ac4eec27d282cad04df6471346d0068a56ead9afeaa06d563ee6
                                                                                                                      • Opcode Fuzzy Hash: d4d8fbafd7ae39ae57d174e7d934b6ee5e59e27ddfd1086e307381c975120c3b
                                                                                                                      • Instruction Fuzzy Hash: 32519071A0021AEFDF17DB68EE80BAAFBA9EF05344F054055E846AB251E730ED41CF90
                                                                                                                      APIs
                                                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00399A60,?,?,00399E9D), ref: 00396A7D
                                                                                                                      • GetDiskFreeSpaceA.KERNEL32(00399E9D,00399A60,?,?,?,003A22F8,?,?,?,00399A60,?,?,00399E9D), ref: 00396ABB
                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00399A60,?,?,00399E9D), ref: 00396B40
                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00399A60,?,?,00399E9D), ref: 00396B4E
                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00399A60,?,?,00399E9D), ref: 00396B5F
                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00399A60,?,?,00399E9D), ref: 00396B6F
                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00399A60,?,?,00399E9D), ref: 00396B7D
                                                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00399A60,?,?,00399E9D), ref: 00396B80
                                                                                                                      • GetLastError.KERNEL32(?,?,?,00399A60,?,?,00399E9D,?,?,?,?,?,00399E9D,?,00000022,?), ref: 00396B96
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3188212458-0
                                                                                                                      • Opcode ID: b5a3649dd234c29a3f6d2fc8762c3f887760bb953ca435678cd6a3fd53b44bce
                                                                                                                      • Instruction ID: 4e871a008cdc5bb3036daf68abebb6c7790f7e80ab5fd248ed11e20e8d13b666
                                                                                                                      • Opcode Fuzzy Hash: b5a3649dd234c29a3f6d2fc8762c3f887760bb953ca435678cd6a3fd53b44bce
                                                                                                                      • Instruction Fuzzy Hash: 5831DEB290124DAFDF03DFA48C46ADFBBBDEB4A300F154066E652E7211E73099458F61
                                                                                                                      APIs
                                                                                                                      • GetUserNameA.ADVAPI32(?,0039D7C3), ref: 00396F7A
                                                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0039D7C3), ref: 00396FC1
                                                                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00396FE8
                                                                                                                      • LocalFree.KERNEL32(00000120), ref: 0039701F
                                                                                                                      • wsprintfA.USER32 ref: 00397036
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                                      • String ID: /%d$|
                                                                                                                      • API String ID: 676856371-4124749705
                                                                                                                      • Opcode ID: 0e0d0eaacc0cb7f3ee9abbdad0d99a5054f61d33e9332f71e917a9d3c81ee448
                                                                                                                      • Instruction ID: 34a459eedbe4d4c5d78bd2558dbbab95bfa859a462d0e0296d852b8d7082c2d0
                                                                                                                      • Opcode Fuzzy Hash: 0e0d0eaacc0cb7f3ee9abbdad0d99a5054f61d33e9332f71e917a9d3c81ee448
                                                                                                                      • Instruction Fuzzy Hash: FC312B72A04108BFDF02DFA8DC49ADA7BBCEF05354F048166F859DB241EA35DA088B94
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,003A22F8,000000E4,00396DDC,000000C8), ref: 00396CE7
                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00396CEE
                                                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00396D14
                                                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00396D2B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                                      • API String ID: 1082366364-3395550214
                                                                                                                      • Opcode ID: f13bbd8f7213ea0f6eeaf7d03b62a94ad121cb4a2b84de08477664035c7a01f6
                                                                                                                      • Instruction ID: c47a2ceb90171264724a6db75c643e15a58f5770796165b3494b987fa2c1599c
                                                                                                                      • Opcode Fuzzy Hash: f13bbd8f7213ea0f6eeaf7d03b62a94ad121cb4a2b84de08477664035c7a01f6
                                                                                                                      • Instruction Fuzzy Hash: 4821E4557863847AFF2B97395C8AFBB2E4CCB53744F0E0054F414AA1D2CB959C8A82B5
                                                                                                                      APIs
                                                                                                                      • CreateProcessA.KERNEL32(00000000,00399947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,003A22F8), ref: 003997B1
                                                                                                                      • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,003A22F8), ref: 003997EB
                                                                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,003A22F8), ref: 003997F9
                                                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,003A22F8), ref: 00399831
                                                                                                                      • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,003A22F8), ref: 0039984E
                                                                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,003A22F8), ref: 0039985B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                      • String ID: D
                                                                                                                      • API String ID: 2981417381-2746444292
                                                                                                                      • Opcode ID: 4ce85ec5715d4ba9c8d9af66ccf622b9d0cae7ed0222f4de79673f97b0d03bf7
                                                                                                                      • Instruction ID: 53a6ceb4417107bace8503530b20e41f20a15ab9dad25e3482583575890ee9e9
                                                                                                                      • Opcode Fuzzy Hash: 4ce85ec5715d4ba9c8d9af66ccf622b9d0cae7ed0222f4de79673f97b0d03bf7
                                                                                                                      • Instruction Fuzzy Hash: CB21EAB1D01219ABDF129FA5DC49FEF7BBCEF09750F400065BA19E5150EB719A44CAA0
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0039DD05: GetTickCount.KERNEL32 ref: 0039DD0F
                                                                                                                        • Part of subcall function 0039DD05: InterlockedExchange.KERNEL32(003A36B4,00000001), ref: 0039DD44
                                                                                                                        • Part of subcall function 0039DD05: GetCurrentThreadId.KERNEL32 ref: 0039DD53
                                                                                                                        • Part of subcall function 0039DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0039DDB5
                                                                                                                      • lstrcpynA.KERNEL32(?,00391E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0039EAAA,?,?), ref: 0039E8DE
                                                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0039EAAA,?,?,00000001,?,00391E84,?), ref: 0039E935
                                                                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0039EAAA,?,?,00000001,?,00391E84,?,0000000A), ref: 0039E93D
                                                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0039EAAA,?,?,00000001,?,00391E84,?), ref: 0039E94F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                                      • String ID: flags_upd$localcfg
                                                                                                                      • API String ID: 204374128-3505511081
                                                                                                                      • Opcode ID: 35a05f7ff728d0d4496516a52ecb55a530f736be5a4648c64aeab8e72ec59a0d
                                                                                                                      • Instruction ID: d4ce84b82aea80c2ff81c8f2183dd11e08cb4a3c3c2c3bb739f9e8b5f40ff305
                                                                                                                      • Opcode Fuzzy Hash: 35a05f7ff728d0d4496516a52ecb55a530f736be5a4648c64aeab8e72ec59a0d
                                                                                                                      • Instruction Fuzzy Hash: 33511D72D0020AAFCF12EFA8C985DAEBBF9FF48304F14456AF405A7211E775EA159B50
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Code
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3609698214-0
                                                                                                                      • Opcode ID: d8e64d954c924a24b534899a685448e497d640e0e3dd402ed70e9ab1811bdc05
                                                                                                                      • Instruction ID: d487caabe077a85d390da00d98f474fbcba5a810509dd2b25cec5c2fb8f966df
                                                                                                                      • Opcode Fuzzy Hash: d8e64d954c924a24b534899a685448e497d640e0e3dd402ed70e9ab1811bdc05
                                                                                                                      • Instruction Fuzzy Hash: 44218E72105115FFDF17ABA1ED8AE9F3B6CDB45360F214515F542E10A1EA31DA009A74
                                                                                                                      APIs
                                                                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,003A22F8), ref: 0039907B
                                                                                                                      • wsprintfA.USER32 ref: 003990E9
                                                                                                                      • CreateFileA.KERNEL32(003A22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0039910E
                                                                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00399122
                                                                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0039912D
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00399134
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2439722600-0
                                                                                                                      • Opcode ID: ee8ea87442285d7d4fed794f3b413b787b9c361b105b535dfdeae082e6f03292
                                                                                                                      • Instruction ID: 5662e4e11b20117611d4342a1620d002a8bc51abc5a7db5c2615c642475cb63b
                                                                                                                      • Opcode Fuzzy Hash: ee8ea87442285d7d4fed794f3b413b787b9c361b105b535dfdeae082e6f03292
                                                                                                                      • Instruction Fuzzy Hash: 80119AB66401147FFB2AA736DC0EFEF367DDBC5700F008065F70AA5051E9709E018660
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039DD0F
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0039DD20
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039DD2E
                                                                                                                      • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,0039E538,?,76230F10,?,00000000,?,0039A445), ref: 0039DD3B
                                                                                                                      • InterlockedExchange.KERNEL32(003A36B4,00000001), ref: 0039DD44
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0039DD53
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3819781495-0
                                                                                                                      • Opcode ID: fb6c080201ba7e30fbb081dbfb31daeed76a7dd3b4c8bb73c4f33b126fbfe6eb
                                                                                                                      • Instruction ID: 31b37b647996f9be6647a44200209ee9b8cc8abb2b5f1eb4f12a27fa544e0009
                                                                                                                      • Opcode Fuzzy Hash: fb6c080201ba7e30fbb081dbfb31daeed76a7dd3b4c8bb73c4f33b126fbfe6eb
                                                                                                                      • Instruction Fuzzy Hash: E7F08272144204AFDB879FA5ADC5B297BADEF47352F110015F609C2271C73055498F62
                                                                                                                      APIs
                                                                                                                      • gethostname.WS2_32(?,00000080), ref: 0039AD1C
                                                                                                                      • lstrlenA.KERNEL32(?), ref: 0039AD60
                                                                                                                      • lstrlenA.KERNEL32(?), ref: 0039AD69
                                                                                                                      • lstrcpyA.KERNEL32(?,LocalHost), ref: 0039AD7F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                                                                      • String ID: LocalHost
                                                                                                                      • API String ID: 3695455745-3154191806
                                                                                                                      • Opcode ID: f646c1a942dc303ac3a75b7cbd81aa3d8f39bbb78900c8a1b6835f20843719a2
                                                                                                                      • Instruction ID: cd5266b553a47a3b3601d70f3f54a7fab0ea82a0e2dd10a28ad003d02b0eb339
                                                                                                                      • Opcode Fuzzy Hash: f646c1a942dc303ac3a75b7cbd81aa3d8f39bbb78900c8a1b6835f20843719a2
                                                                                                                      • Instruction Fuzzy Hash: B0019C608449895DDF37462CC864BF97FB9AF9770AF120255E4C0DB966EB24C88783E3
                                                                                                                      APIs
                                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,003998FD,00000001,00000100,003A22F8,0039A3C7), ref: 00394290
                                                                                                                      • CloseHandle.KERNEL32(0039A3C7), ref: 003943AB
                                                                                                                      • CloseHandle.KERNEL32(00000001), ref: 003943AE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandle$CreateEvent
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1371578007-0
                                                                                                                      • Opcode ID: 3e18e7ab06aaeb56e91792a23a0b89c3597bbeadf54feba4dc8929dad04e8cc7
                                                                                                                      • Instruction ID: b52285bba915182a8e7309f9e9069d8c797945905cc69e1563093b98c60f5159
                                                                                                                      • Opcode Fuzzy Hash: 3e18e7ab06aaeb56e91792a23a0b89c3597bbeadf54feba4dc8929dad04e8cc7
                                                                                                                      • Instruction Fuzzy Hash: 8041BBB1D00209BADF12ABB1CD86FAFBFBCEF00324F104155F605AA181D7348A51DBA0
                                                                                                                      APIs
                                                                                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 0039609C
                                                                                                                      • LoadLibraryA.KERNEL32(?,?,003964CF,00000000), ref: 003960C3
                                                                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0039614A
                                                                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0039619E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2438460464-0
                                                                                                                      • Opcode ID: 549134cd719bd6a268423c564162ff883b64d6b7b1437cd8084c1b05658454a5
                                                                                                                      • Instruction ID: 6716fe8880e64b1e1bdad3d305d99a4f70b883409cc882e86a5f0933cef6c48a
                                                                                                                      • Opcode Fuzzy Hash: 549134cd719bd6a268423c564162ff883b64d6b7b1437cd8084c1b05658454a5
                                                                                                                      • Instruction Fuzzy Hash: 1C416C71A05206AFDF16CF68C886BA9B7B9EF14354F258069E815D7391E730ED40DB90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3f510e33387724b9878d32ee97eddf3328e4394bb923840ede0950c22bfe8bcb
                                                                                                                      • Instruction ID: 908b11880ec04bc333b8c894b3ed108aca80590d1631fd6730e4236f886a3b3d
                                                                                                                      • Opcode Fuzzy Hash: 3f510e33387724b9878d32ee97eddf3328e4394bb923840ede0950c22bfe8bcb
                                                                                                                      • Instruction Fuzzy Hash: 9B318F72A00718BBCF129FA9CC81ABFB7F8EF48701F104456E545EA241E774DA518B54
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039272E
                                                                                                                      • htons.WS2_32(00000001), ref: 00392752
                                                                                                                      • htons.WS2_32(0000000F), ref: 003927D5
                                                                                                                      • htons.WS2_32(00000001), ref: 003927E3
                                                                                                                      • sendto.WS2_32(?,003A2BF8,00000009,00000000,00000010,00000010), ref: 00392802
                                                                                                                        • Part of subcall function 0039EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0039EBFE,7FFF0001,?,0039DB55,7FFF0001), ref: 0039EBD3
                                                                                                                        • Part of subcall function 0039EBCC: RtlAllocateHeap.NTDLL(00000000,?,0039DB55,7FFF0001), ref: 0039EBDA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1128258776-0
                                                                                                                      • Opcode ID: 1ef73df1065b840fd994131a5068c897a042ef286392bb8d2628509aa0148d78
                                                                                                                      • Instruction ID: fb908996807d23fc8fffc8cfc5c999ba99c1806c9094f4fe32a1944696d39d7c
                                                                                                                      • Opcode Fuzzy Hash: 1ef73df1065b840fd994131a5068c897a042ef286392bb8d2628509aa0148d78
                                                                                                                      • Instruction Fuzzy Hash: 6C31F934245386AFDB16CFF8DC90A677768EF1A314F1A405DE8559B363D632D842D720
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,003A22F8), ref: 0039915F
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00399166
                                                                                                                      • CharToOemA.USER32(?,?), ref: 00399174
                                                                                                                      • wsprintfA.USER32 ref: 003991A9
                                                                                                                        • Part of subcall function 00399064: GetTempPathA.KERNEL32(00000400,?,00000000,003A22F8), ref: 0039907B
                                                                                                                        • Part of subcall function 00399064: wsprintfA.USER32 ref: 003990E9
                                                                                                                        • Part of subcall function 00399064: CreateFileA.KERNEL32(003A22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0039910E
                                                                                                                        • Part of subcall function 00399064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00399122
                                                                                                                        • Part of subcall function 00399064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0039912D
                                                                                                                        • Part of subcall function 00399064: CloseHandle.KERNEL32(00000000), ref: 00399134
                                                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 003991E1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3857584221-0
                                                                                                                      • Opcode ID: 06579b974323c3303a817b4ef20087ecacd58cb40735b98993d8aca7ea6f1944
                                                                                                                      • Instruction ID: e5a6828b878702986372b3496defbc90cdded61f0fff806853a7e91b22ed910a
                                                                                                                      • Opcode Fuzzy Hash: 06579b974323c3303a817b4ef20087ecacd58cb40735b98993d8aca7ea6f1944
                                                                                                                      • Instruction Fuzzy Hash: 8B0175FA9001187BDB26A7619D4DFEF777CDB86701F000095B749E6040D67097858F70
                                                                                                                      APIs
                                                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00392491,?,?,?,0039E844,-00000030,?,?,?,00000001), ref: 00392429
                                                                                                                      • lstrlenA.KERNEL32(?,?,00392491,?,?,?,0039E844,-00000030,?,?,?,00000001,00391E3D,00000001,localcfg,lid_file_upd), ref: 0039243E
                                                                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00392452
                                                                                                                      • lstrlenA.KERNEL32(?,?,00392491,?,?,?,0039E844,-00000030,?,?,?,00000001,00391E3D,00000001,localcfg,lid_file_upd), ref: 00392467
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$lstrcmpi
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 1808961391-1857712256
                                                                                                                      • Opcode ID: 10f88b6512e7b727ffdf74649141adc0614ce2a69f21a8def2df5e75c7787796
                                                                                                                      • Instruction ID: a5a88ca6757fe1c2670d830290bc492c07e93bdd57f1ce654133fce6fbed30de
                                                                                                                      • Opcode Fuzzy Hash: 10f88b6512e7b727ffdf74649141adc0614ce2a69f21a8def2df5e75c7787796
                                                                                                                      • Instruction Fuzzy Hash: 8201D632600618BF8F16EF6ADC849DE7BA9EF44394B11C426E959E7211E330EA448A90
                                                                                                                      APIs
                                                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00396F0F
                                                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p9), ref: 00396F24
                                                                                                                      • FreeSid.ADVAPI32(?), ref: 00396F3E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                      • String ID: *p9
                                                                                                                      • API String ID: 3429775523-3131173850
                                                                                                                      • Opcode ID: 2005f8fbebeef48de34c21d4372ba2a9a411e61c4b2f75922eac6cfb632c0762
                                                                                                                      • Instruction ID: e4b4c15a5e609524603fbead370d5c704c70fb5de1658adaafe26369efa0ac35
                                                                                                                      • Opcode Fuzzy Hash: 2005f8fbebeef48de34c21d4372ba2a9a411e61c4b2f75922eac6cfb632c0762
                                                                                                                      • Instruction Fuzzy Hash: 12012171905208AFDB11DFE4EDC5AAE77BCFB04300F104869E116E2151E7709948CB10
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: wsprintf
                                                                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                                      • API String ID: 2111968516-120809033
                                                                                                                      • Opcode ID: 38eb1d6e9a4cf3c680564b2cb5ef36cb2e9ce8d2373447dc22e14c6c2c143d54
                                                                                                                      • Instruction ID: 00463934e0f4504b26daa6db4af254898bea5ebd786c5fd23025e91c30d7c738
                                                                                                                      • Opcode Fuzzy Hash: 38eb1d6e9a4cf3c680564b2cb5ef36cb2e9ce8d2373447dc22e14c6c2c143d54
                                                                                                                      • Instruction Fuzzy Hash: 9641AC729042999FDF22CFB88D44AEE3BE89F49310F240056FDA4E7152D634DA05CBA0
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0039DD05: GetTickCount.KERNEL32 ref: 0039DD0F
                                                                                                                        • Part of subcall function 0039DD05: InterlockedExchange.KERNEL32(003A36B4,00000001), ref: 0039DD44
                                                                                                                        • Part of subcall function 0039DD05: GetCurrentThreadId.KERNEL32 ref: 0039DD53
                                                                                                                      • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,00395EC1), ref: 0039E693
                                                                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,00395EC1), ref: 0039E6E9
                                                                                                                      • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,76230F10,00000000,?,00395EC1), ref: 0039E722
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                                      • String ID: 89ABCDEF
                                                                                                                      • API String ID: 3343386518-71641322
                                                                                                                      • Opcode ID: 2e15ca869d5e4a16246a9680e3877bdbe1365b01ec6f0a3d957bfd6a1ce6537d
                                                                                                                      • Instruction ID: dd00aa70aca895d2f3ad7d46eaeae5f7e7ee89a62b36c9188b204fcdd958db2f
                                                                                                                      • Opcode Fuzzy Hash: 2e15ca869d5e4a16246a9680e3877bdbe1365b01ec6f0a3d957bfd6a1ce6537d
                                                                                                                      • Instruction Fuzzy Hash: AB31AB316047129FDF33CF64D884B6777E8EB22720F11882AE5568B550E770EC80CB81
                                                                                                                      APIs
                                                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0039E2A3,00000000,00000000,00000000,00020106,00000000,0039E2A3,00000000,000000E4), ref: 0039E0B2
                                                                                                                      • RegSetValueExA.ADVAPI32(0039E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,003A22F8), ref: 0039E127
                                                                                                                      • RegDeleteValueA.ADVAPI32(0039E2A3,?,?,?,?,?,000000C8,003A22F8), ref: 0039E158
                                                                                                                      • RegCloseKey.ADVAPI32(0039E2A3,?,?,?,?,000000C8,003A22F8,?,?,?,?,?,?,?,?,0039E2A3), ref: 0039E161
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Value$CloseCreateDelete
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2667537340-0
                                                                                                                      • Opcode ID: e5d82b3db2e960d7f465dacf6e5caaf4399ec938587274b649888780900213bd
                                                                                                                      • Instruction ID: 78e65f3659e01ec2ac7783406f3a1e0eecf371bc1ed27294c8ca9d969a8980e0
                                                                                                                      • Opcode Fuzzy Hash: e5d82b3db2e960d7f465dacf6e5caaf4399ec938587274b649888780900213bd
                                                                                                                      • Instruction Fuzzy Hash: B7215972A00219BBDF22DFA5DC89EDF7FB9EF09750F008061F904E6151E6718A54DBA0
                                                                                                                      APIs
                                                                                                                      • WriteFile.KERNEL32(00000000,00000000,0039A3C7,00000000,00000000,000007D0,00000001), ref: 00393F44
                                                                                                                      • GetLastError.KERNEL32 ref: 00393F4E
                                                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00393F5F
                                                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00393F72
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3373104450-0
                                                                                                                      • Opcode ID: 9daf6423e66f7404ca4d063ab12e34d3f1afc6492b3485f5f254058ec5f58b32
                                                                                                                      • Instruction ID: a3947eec4037bb286a51c28d784cff79b328bb2a7ee6f575c400bc4564ac8d26
                                                                                                                      • Opcode Fuzzy Hash: 9daf6423e66f7404ca4d063ab12e34d3f1afc6492b3485f5f254058ec5f58b32
                                                                                                                      • Instruction Fuzzy Hash: 580104B2911109ABDF02DF90ED88BEF7BBCEB04356F114025FA02E2050D730DA248BB2
                                                                                                                      APIs
                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,0039A3C7,00000000,00000000,000007D0,00000001), ref: 00393FB8
                                                                                                                      • GetLastError.KERNEL32 ref: 00393FC2
                                                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00393FD3
                                                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00393FE6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 888215731-0
                                                                                                                      • Opcode ID: 235a92050cf2488d8284b2528242be3e9f0aa036cc2b23e86840a40c037bb848
                                                                                                                      • Instruction ID: a11d828d9e654e8d952238d08c485b687dc6927fd34a2afae29b048baf2f5619
                                                                                                                      • Opcode Fuzzy Hash: 235a92050cf2488d8284b2528242be3e9f0aa036cc2b23e86840a40c037bb848
                                                                                                                      • Instruction Fuzzy Hash: A701A2B291020AABDF12DF94DD89BEF7BBCEB14356F114061F902E2050D770DA548BB2
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 00394E9E
                                                                                                                      • GetTickCount.KERNEL32 ref: 00394EAD
                                                                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00394EBA
                                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00394EC3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2207858713-0
                                                                                                                      • Opcode ID: a0c423f972ecd5bc555e88af0fdd9bfebeae84f19a6c676efc55e2f935920200
                                                                                                                      • Instruction ID: 0ef35469f9c36b39a2e63b604d173eff9d71bc4c135a4923e1d72a128fbb92e3
                                                                                                                      • Opcode Fuzzy Hash: a0c423f972ecd5bc555e88af0fdd9bfebeae84f19a6c676efc55e2f935920200
                                                                                                                      • Instruction Fuzzy Hash: 5EE0CD3370121457DA1167F9AC84F56774DBB57375F020531F709D2140D556DC4345F1
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039A4D1
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039A4E4
                                                                                                                      • Sleep.KERNEL32(00000000,?,0039C2E9,0039C4E0,00000000,localcfg,?,0039C4E0,003A3588,00398810), ref: 0039A4F1
                                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0039A4FA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2207858713-0
                                                                                                                      • Opcode ID: d5aec8b245ac1197149e0dd1bf92365a69405c700f3ae76ad521be45fcf7a0b3
                                                                                                                      • Instruction ID: 145ec15ce188bd69cd74ab7cfbb6a5b45340005a9df91ccdbfae3dc113da89ba
                                                                                                                      • Opcode Fuzzy Hash: d5aec8b245ac1197149e0dd1bf92365a69405c700f3ae76ad521be45fcf7a0b3
                                                                                                                      • Instruction Fuzzy Hash: ADE07D3330021457CF0297E6AC84F7A338CEB4B7A1F130121FB08E3240C656A84141F3
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 00394BDD
                                                                                                                      • GetTickCount.KERNEL32 ref: 00394BEC
                                                                                                                      • Sleep.KERNEL32(00000000,?,?,?,02A1E054,003950F2), ref: 00394BF9
                                                                                                                      • InterlockedExchange.KERNEL32(02A1E048,00000001), ref: 00394C02
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2207858713-0
                                                                                                                      • Opcode ID: 9cfbe06c1a9825cd5e69dea8162b97429f971f031a31ee4c4d1b2566dfa362c1
                                                                                                                      • Instruction ID: 6b1cece65b5e36d0fabaaffadbbc3e097fd911e114528b559da8df567180bd01
                                                                                                                      • Opcode Fuzzy Hash: 9cfbe06c1a9825cd5e69dea8162b97429f971f031a31ee4c4d1b2566dfa362c1
                                                                                                                      • Instruction Fuzzy Hash: 14E0CD3324131467CF1567F59C80F56775CDB57361F070072F748D2150C556D84245B1
                                                                                                                      APIs
                                                                                                                      • GetTickCount.KERNEL32 ref: 00393103
                                                                                                                      • GetTickCount.KERNEL32 ref: 0039310F
                                                                                                                      • Sleep.KERNEL32(00000000), ref: 0039311C
                                                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00393128
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2207858713-0
                                                                                                                      • Opcode ID: 2d4e50e99211247843cac812ee6761ba59ffbbe6436e627c0e4d21ee52e2feec
                                                                                                                      • Instruction ID: 718be59231d7904c8f70b287fcf57fc06d8e5e4db10c08be23b8000c4066b89c
                                                                                                                      • Opcode Fuzzy Hash: 2d4e50e99211247843cac812ee6761ba59ffbbe6436e627c0e4d21ee52e2feec
                                                                                                                      • Instruction Fuzzy Hash: 8EE02B71304215AFDF02BBB6AD44B896B5EDF857A1F020031F201E20B0C5504D008971
                                                                                                                      APIs
                                                                                                                      • WriteFile.KERNEL32(00399A60,?,?,00000000,00000000,00399A60,?,00000000), ref: 003969F9
                                                                                                                      • WriteFile.KERNEL32(00399A60,?,00399A60,00000000,00000000), ref: 00396A27
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: FileWrite
                                                                                                                      • String ID: ,k9
                                                                                                                      • API String ID: 3934441357-387603698
                                                                                                                      • Opcode ID: dca0288c2da4eacf504b9fb35490a1e02b412a3b37303354bc8a5bb32bdcdc41
                                                                                                                      • Instruction ID: a78dcea3448ef79392cf12119d3adfaba9a3b519d28f7be5a6ba5ff6ce28add8
                                                                                                                      • Opcode Fuzzy Hash: dca0288c2da4eacf504b9fb35490a1e02b412a3b37303354bc8a5bb32bdcdc41
                                                                                                                      • Instruction Fuzzy Hash: 58313AB2A01209EFDF25CF58D985BAE77F8EB04355F11846AE805E7200D370EE54CB61
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTick
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 536389180-1857712256
                                                                                                                      • Opcode ID: 8c077dadb21caad3564ec0e1fe83cdf3e8ba7b2e79b8847e8e3a432ecbc0be8a
                                                                                                                      • Instruction ID: cd7836843e717b7294d25061304180c40d237148640f4b397378ec96c8cc3051
                                                                                                                      • Opcode Fuzzy Hash: 8c077dadb21caad3564ec0e1fe83cdf3e8ba7b2e79b8847e8e3a432ecbc0be8a
                                                                                                                      • Instruction Fuzzy Hash: 4321AF32614615AFDF12DFA8DC956AABBBDEBA3351F2A015AE401DB191CF30EA40C750
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0039C057
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CountTickwsprintf
                                                                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                                      • API String ID: 2424974917-1012700906
                                                                                                                      • Opcode ID: 8c61e6b4ea18599f5ee9f163dce2d899a6d3cfc47d8ba70e919d87da783e60f8
                                                                                                                      • Instruction ID: 8cac51ecc17370b9faf3d4152a4a4beb0c5361382c2326aeafaef34b9334325e
                                                                                                                      • Opcode Fuzzy Hash: 8c61e6b4ea18599f5ee9f163dce2d899a6d3cfc47d8ba70e919d87da783e60f8
                                                                                                                      • Instruction Fuzzy Hash: F6119772200100FFDB429BA9CD44E567FA6FF89318B34819CF6188E166D633D863EB50
                                                                                                                      APIs
                                                                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 003926C3
                                                                                                                      • inet_ntoa.WS2_32(?), ref: 003926E4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                                                                      • String ID: localcfg
                                                                                                                      • API String ID: 2112563974-1857712256
                                                                                                                      • Opcode ID: c4d14fd4b44ea51b3b5823a7a6fd16c52d184db521871c7ebaabef7e7cda484b
                                                                                                                      • Instruction ID: 03cf0c680c63c2e26c2ffaf0536828b668a96903b3ee2c192b4c32b51dfc7098
                                                                                                                      • Opcode Fuzzy Hash: c4d14fd4b44ea51b3b5823a7a6fd16c52d184db521871c7ebaabef7e7cda484b
                                                                                                                      • Instruction Fuzzy Hash: 7CF0A7321483087FEF06AFA0EC09B9A379CDF05351F104422F908DE490DBB1D9509798
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0039EB54,_alldiv,0039F0B7,80000001,00000000,00989680,00000000,?,?,?,0039E342,00000000,75B4EA50,80000001,00000000), ref: 0039EAF2
                                                                                                                      • GetProcAddress.KERNEL32(77310000,00000000), ref: 0039EB07
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: ntdll.dll
                                                                                                                      • API String ID: 2574300362-2227199552
                                                                                                                      • Opcode ID: f0a214c8507ed7eb85928fe1596c28e6e2c82517919a1c1dbed296e4f4a4d786
                                                                                                                      • Instruction ID: 9bef05808d1fa17d80c560f3b45a45cb55d404b09174f1da9ae99c3f87ce7b88
                                                                                                                      • Opcode Fuzzy Hash: f0a214c8507ed7eb85928fe1596c28e6e2c82517919a1c1dbed296e4f4a4d786
                                                                                                                      • Instruction Fuzzy Hash: 81D0C934608302AB8F17CF649D4B94A76ACAB56702F408015F406C1120E730D844DB01
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00392D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00392F01,?,003920FF,003A2000), ref: 00392D3A
                                                                                                                        • Part of subcall function 00392D21: LoadLibraryA.KERNEL32(?), ref: 00392D4A
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00392F73
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 00392F7A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000012.00000002.4594828499.0000000000390000.00000040.00000400.00020000.00000000.sdmp, Offset: 00390000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_18_2_390000_svchost.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1017166417-0
                                                                                                                      • Opcode ID: ca76a2612cc75b9222fc448bd8cf66b7337ec7123c69c714f9ece0f6db3b0e4e
                                                                                                                      • Instruction ID: 9db5a5b8d1a654153f2cc3357db54355262383a64e49b6ad0d914af88396b967
                                                                                                                      • Opcode Fuzzy Hash: ca76a2612cc75b9222fc448bd8cf66b7337ec7123c69c714f9ece0f6db3b0e4e
                                                                                                                      • Instruction Fuzzy Hash: 1D51CD7590020AAFDF06DF64D8889FABBB9FF16305F114169EC96C7210E7329A19CB80