Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
66HKNPT1fl.exe

Overview

General Information

Sample name:66HKNPT1fl.exe
renamed because original name is a hash value
Original sample name:93469d74887267a8fbeed3a59094ddfbe12c991d800b4011b1ce5be62f6e27f3.exe
Analysis ID:1551208
MD5:f0d9a1e7385ed0ea2ece3d30915163d5
SHA1:fa25bb798e084ddfa0ad97b659b49a405fa19b22
SHA256:93469d74887267a8fbeed3a59094ddfbe12c991d800b4011b1ce5be62f6e27f3
Tags:exeuser-adrian__luca
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to resolve many domain names, but no domain seems valid
Connects to many different domains
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Executes massive DNS lookups (> 100)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 66HKNPT1fl.exe (PID: 4784 cmdline: "C:\Users\user\Desktop\66HKNPT1fl.exe" MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)
    • ew4bjmdlid9hjn8.exe (PID: 3960 cmdline: "C:\daxjjwrfm\ew4bjmdlid9hjn8.exe" MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)
      • qbpabupgx.exe (PID: 7084 cmdline: "C:\daxjjwrfm\qbpabupgx.exe" MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)
  • qbpabupgx.exe (PID: 6216 cmdline: C:\daxjjwrfm\qbpabupgx.exe MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)
    • tkjnbticppc.exe (PID: 7120 cmdline: mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe" MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)
      • qbpabupgx.exe (PID: 3708 cmdline: "c:\daxjjwrfm\qbpabupgx.exe" MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)
        • tkjnbticppc.exe (PID: 1540 cmdline: mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe" MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-07T15:42:08.521365+010020229301A Network Trojan was detected4.245.163.56443192.168.2.661217TCP
2024-11-07T15:42:36.798438+010020229301A Network Trojan was detected4.245.163.56443192.168.2.654000TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-07T15:41:57.817092+010020181411A Network Trojan was detected18.143.155.6380192.168.2.661164TCP
2024-11-07T15:42:00.835671+010020181411A Network Trojan was detected54.244.188.17780192.168.2.661185TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-07T15:41:57.817092+010020377711A Network Trojan was detected18.143.155.6380192.168.2.661164TCP
2024-11-07T15:42:00.835671+010020377711A Network Trojan was detected54.244.188.17780192.168.2.661185TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-07T15:41:54.378741+010020183161A Network Trojan was detected1.1.1.153192.168.2.657769UDP
2024-11-07T15:43:42.679237+010020183161A Network Trojan was detected1.1.1.153192.168.2.654598UDP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-07T15:41:54.258875+010028115421A Network Trojan was detected1.1.1.153192.168.2.657116UDP
2024-11-07T15:43:55.894056+010028115421A Network Trojan was detected1.1.1.153192.168.2.652210UDP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-07T15:41:57.420782+010028155681A Network Trojan was detected192.168.2.66116418.143.155.6380TCP
2024-11-07T15:43:37.556413+010028155681A Network Trojan was detected192.168.2.65412518.143.155.6380TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-07T15:41:55.658532+010028206801Malware Command and Control Activity Detected192.168.2.661162199.59.243.22780TCP
2024-11-07T15:43:37.556413+010028206801Malware Command and Control Activity Detected192.168.2.65412518.143.155.6380TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 66HKNPT1fl.exeAvira: detected
Antivirus detection for dropped file
Source: C:\daxjjwrfm\qbpabupgx.exeAvira: detection malicious, Label: HEUR/AGEN.1318578
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeAvira: detection malicious, Label: HEUR/AGEN.1318578
Source: C:\daxjjwrfm\tkjnbticppc.exeAvira: detection malicious, Label: HEUR/AGEN.1318578
Multi AV Scanner detection for dropped file
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeReversingLabs: Detection: 89%
Source: C:\daxjjwrfm\qbpabupgx.exeReversingLabs: Detection: 89%
Source: C:\daxjjwrfm\tkjnbticppc.exeReversingLabs: Detection: 89%
Multi AV Scanner detection for submitted file
Source: 66HKNPT1fl.exeReversingLabs: Detection: 89%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\daxjjwrfm\qbpabupgx.exeJoe Sandbox ML: detected
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeJoe Sandbox ML: detected
Source: C:\daxjjwrfm\tkjnbticppc.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: 66HKNPT1fl.exeJoe Sandbox ML: detected
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_00077040 GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,2_2_00077040
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C47040 GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,3_2_00C47040
Source: 66HKNPT1fl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003660A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003660A0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000560A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,2_2_000560A0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C260A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,3_2_00C260A0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000A60A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,4_2_000A60A0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C260A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,5_2_00C260A0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001060A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,9_2_001060A0

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.6:61162 -> 199.59.243.227:80
Source: Network trafficSuricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.6:54125 -> 18.143.155.63:80
Tries to resolve many domain names, but no domain seems valid
Source: unknownDNS traffic detected: query: heavydivide.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: glassinstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: degreemanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heardbusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: degreeready.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: returnanother.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: necessaryappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavenbottle.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: leaderbusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: glassinside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: necessaryinstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: degreeexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavendivide.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: requirebusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: returnmanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: leaderbottle.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavenbusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heardinstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heardready.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: orderappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: variousinside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: answerappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: glassexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: returndivide.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heaveninside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: glasspeople.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentleappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: glassmanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: orderexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: difficultmanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: pleasantappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heardanother.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: answerbrown.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: answerdaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: pleasantexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: leaderappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavenanother.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavyexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: pleasantmanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavybusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: variousmanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: necessarymanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: leadermanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: necessarybusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: difficultexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: answerready.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: forwardpeople.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlestream.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavystream.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavyanother.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: forwardexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: requireinstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: pleasantinside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: difficultanother.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: forwardbusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: necessaryexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: returninstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: returnexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: requirebright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: requiremanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: answerbright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: degreeanother.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: requireappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: glassanother.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: difficultready.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: degreebright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: orderinside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heardinside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: orderinstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlenothing.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: leaderinstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: answeranother.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavyinside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heardmanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: returnbusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: orderbusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: forwardinstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: answerexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: necessaryinside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: leaderexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: variousnothing.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlebusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: forwardready.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heaveninstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentleinstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: answermanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: difficultbright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: returnappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: degreebrown.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlebottle.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavenbright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: forwardbrown.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: leaderinside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavymanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: forwardinside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: difficultbusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: returnnothing.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavynothing.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: leaderanother.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavyappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: pleasantbright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavenexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentleinside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heardappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: answerinside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: degreebusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: necessarybright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: glassappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: glassbusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heardexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: variousanother.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: ordermanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: variousbusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: requireanother.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: leaderdivide.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: necessaryanother.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: variousexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: answerpeople.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: variousbottle.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: orderbright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavenstream.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavybottle.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: leadernothing.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavybright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: difficultinstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavyinstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: variousdivide.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: degreeappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: requireinside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlebright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: glassbrown.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: pleasantbusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: answerinstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavenappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: variousappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: degreepeople.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: forwardanother.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: forwardbright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: returninside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: leaderbright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentleexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: variousbright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: requireexplain.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: glassready.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavennothing.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: forwarddaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: forwardmanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heardbright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: answerbusiness.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: returnstream.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: variousinstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: pleasantanother.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: difficultinside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: difficultappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: forwardappear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: degreeinstead.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: glassdaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: returnbright.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: heavenmanner.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: degreeinside.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentledivide.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: orderanother.net replaycode: Name error (3)
Source: unknownNetwork traffic detected: DNS query count 170
Source: global trafficDNS traffic detected: number of DNS queries: 170
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: variousstream.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: returnbottle.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: gentleanother.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: glassbright.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: pleasantinstead.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: degreedaughter.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: variousstream.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: returnbottle.net
Source: Joe Sandbox ViewIP Address: 18.143.155.63 18.143.155.63
Source: Joe Sandbox ViewIP Address: 85.214.228.140 85.214.228.140
Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
Source: Network trafficSuricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.6:57116
Source: Network trafficSuricata IDS: 2018316 - Severity 1 - ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses : 1.1.1.1:53 -> 192.168.2.6:57769
Source: Network trafficSuricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.6:61164 -> 18.143.155.63:80
Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.143.155.63:80 -> 192.168.2.6:61164
Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.6:61185
Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.6:61185
Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.143.155.63:80 -> 192.168.2.6:61164
Source: Network trafficSuricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.6:54125 -> 18.143.155.63:80
Source: Network trafficSuricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.6:52210
Source: Network trafficSuricata IDS: 2018316 - Severity 1 - ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses : 1.1.1.1:53 -> 192.168.2.6:54598
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:61217
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:54000
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003801B0 socket,setsockopt,gethostbyname,inet_ntoa,inet_addr,htons,connect,send,recv,closesocket,0_2_003801B0
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: variousstream.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: returnbottle.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: gentleanother.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: glassbright.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: pleasantinstead.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: degreedaughter.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: variousstream.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: returnbottle.net
Source: global trafficDNS traffic detected: DNS query: leaderstream.net
Source: global trafficDNS traffic detected: DNS query: heavenstream.net
Source: global trafficDNS traffic detected: DNS query: leadernothing.net
Source: global trafficDNS traffic detected: DNS query: heavennothing.net
Source: global trafficDNS traffic detected: DNS query: leaderbottle.net
Source: global trafficDNS traffic detected: DNS query: heavenbottle.net
Source: global trafficDNS traffic detected: DNS query: leaderdivide.net
Source: global trafficDNS traffic detected: DNS query: heavendivide.net
Source: global trafficDNS traffic detected: DNS query: heavystream.net
Source: global trafficDNS traffic detected: DNS query: gentlestream.net
Source: global trafficDNS traffic detected: DNS query: heavynothing.net
Source: global trafficDNS traffic detected: DNS query: gentlenothing.net
Source: global trafficDNS traffic detected: DNS query: heavybottle.net
Source: global trafficDNS traffic detected: DNS query: gentlebottle.net
Source: global trafficDNS traffic detected: DNS query: heavydivide.net
Source: global trafficDNS traffic detected: DNS query: gentledivide.net
Source: global trafficDNS traffic detected: DNS query: variousstream.net
Source: global trafficDNS traffic detected: DNS query: returnstream.net
Source: global trafficDNS traffic detected: DNS query: variousnothing.net
Source: global trafficDNS traffic detected: DNS query: returnnothing.net
Source: global trafficDNS traffic detected: DNS query: variousbottle.net
Source: global trafficDNS traffic detected: DNS query: returnbottle.net
Source: global trafficDNS traffic detected: DNS query: variousdivide.net
Source: global trafficDNS traffic detected: DNS query: returndivide.net
Source: global trafficDNS traffic detected: DNS query: degreemanner.net
Source: global trafficDNS traffic detected: DNS query: forwardmanner.net
Source: global trafficDNS traffic detected: DNS query: degreeanother.net
Source: global trafficDNS traffic detected: DNS query: forwardanother.net
Source: global trafficDNS traffic detected: DNS query: degreebusiness.net
Source: global trafficDNS traffic detected: DNS query: forwardbusiness.net
Source: global trafficDNS traffic detected: DNS query: degreeappear.net
Source: global trafficDNS traffic detected: DNS query: forwardappear.net
Source: global trafficDNS traffic detected: DNS query: answermanner.net
Source: global trafficDNS traffic detected: DNS query: glassmanner.net
Source: global trafficDNS traffic detected: DNS query: answeranother.net
Source: global trafficDNS traffic detected: DNS query: glassanother.net
Source: global trafficDNS traffic detected: DNS query: answerbusiness.net
Source: global trafficDNS traffic detected: DNS query: glassbusiness.net
Source: global trafficDNS traffic detected: DNS query: answerappear.net
Source: global trafficDNS traffic detected: DNS query: glassappear.net
Source: global trafficDNS traffic detected: DNS query: difficultmanner.net
Source: global trafficDNS traffic detected: DNS query: heardmanner.net
Source: global trafficDNS traffic detected: DNS query: difficultanother.net
Source: global trafficDNS traffic detected: DNS query: heardanother.net
Source: global trafficDNS traffic detected: DNS query: difficultbusiness.net
Source: global trafficDNS traffic detected: DNS query: heardbusiness.net
Source: global trafficDNS traffic detected: DNS query: difficultappear.net
Source: global trafficDNS traffic detected: DNS query: heardappear.net
Source: global trafficDNS traffic detected: DNS query: pleasantmanner.net
Source: global trafficDNS traffic detected: DNS query: necessarymanner.net
Source: global trafficDNS traffic detected: DNS query: pleasantanother.net
Source: global trafficDNS traffic detected: DNS query: necessaryanother.net
Source: global trafficDNS traffic detected: DNS query: pleasantbusiness.net
Source: global trafficDNS traffic detected: DNS query: necessarybusiness.net
Source: global trafficDNS traffic detected: DNS query: pleasantappear.net
Source: global trafficDNS traffic detected: DNS query: necessaryappear.net
Source: global trafficDNS traffic detected: DNS query: ordermanner.net
Source: global trafficDNS traffic detected: DNS query: requiremanner.net
Source: global trafficDNS traffic detected: DNS query: orderanother.net
Source: global trafficDNS traffic detected: DNS query: requireanother.net
Source: global trafficDNS traffic detected: DNS query: orderbusiness.net
Source: global trafficDNS traffic detected: DNS query: requirebusiness.net
Source: global trafficDNS traffic detected: DNS query: orderappear.net
Source: global trafficDNS traffic detected: DNS query: requireappear.net
Source: global trafficDNS traffic detected: DNS query: leadermanner.net
Source: global trafficDNS traffic detected: DNS query: heavenmanner.net
Source: global trafficDNS traffic detected: DNS query: leaderanother.net
Source: global trafficDNS traffic detected: DNS query: heavenanother.net
Source: global trafficDNS traffic detected: DNS query: leaderbusiness.net
Source: global trafficDNS traffic detected: DNS query: heavenbusiness.net
Source: global trafficDNS traffic detected: DNS query: leaderappear.net
Source: global trafficDNS traffic detected: DNS query: heavenappear.net
Source: global trafficDNS traffic detected: DNS query: heavymanner.net
Source: global trafficDNS traffic detected: DNS query: gentlemanner.net
Source: global trafficDNS traffic detected: DNS query: heavyanother.net
Source: global trafficDNS traffic detected: DNS query: gentleanother.net
Source: global trafficDNS traffic detected: DNS query: heavybusiness.net
Source: global trafficDNS traffic detected: DNS query: gentlebusiness.net
Source: global trafficDNS traffic detected: DNS query: heavyappear.net
Source: global trafficDNS traffic detected: DNS query: gentleappear.net
Source: global trafficDNS traffic detected: DNS query: variousmanner.net
Source: global trafficDNS traffic detected: DNS query: returnmanner.net
Source: global trafficDNS traffic detected: DNS query: variousanother.net
Source: global trafficDNS traffic detected: DNS query: returnanother.net
Source: global trafficDNS traffic detected: DNS query: variousbusiness.net
Source: global trafficDNS traffic detected: DNS query: returnbusiness.net
Source: global trafficDNS traffic detected: DNS query: variousappear.net
Source: global trafficDNS traffic detected: DNS query: returnappear.net
Source: global trafficDNS traffic detected: DNS query: degreeinstead.net
Source: global trafficDNS traffic detected: DNS query: forwardinstead.net
Source: global trafficDNS traffic detected: DNS query: degreeexplain.net
Source: global trafficDNS traffic detected: DNS query: forwardexplain.net
Source: global trafficDNS traffic detected: DNS query: degreebright.net
Source: global trafficDNS traffic detected: DNS query: forwardbright.net
Source: global trafficDNS traffic detected: DNS query: degreeinside.net
Source: global trafficDNS traffic detected: DNS query: forwardinside.net
Source: global trafficDNS traffic detected: DNS query: answerinstead.net
Source: global trafficDNS traffic detected: DNS query: glassinstead.net
Source: global trafficDNS traffic detected: DNS query: answerexplain.net
Source: global trafficDNS traffic detected: DNS query: glassexplain.net
Source: qbpabupgx.exe, 00000003.00000002.2929888001.000000000138A000.00000004.00000020.00020000.00000000.sdmp, qbpabupgx.exe, 00000008.00000002.3398382691.0000000000F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
Source: C:\Users\user\Desktop\66HKNPT1fl.exeFile created: C:\Windows\daxjjwrfm\Jump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeFile created: C:\Windows\daxjjwrfm\nozyy3rc2pJump to behavior
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeFile created: C:\Windows\daxjjwrfm\nozyy3rc2pJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeFile created: C:\Windows\daxjjwrfm\nozyy3rc2pJump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exeFile created: C:\Windows\daxjjwrfm\nozyy3rc2pJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeFile created: C:\Windows\daxjjwrfm\nozyy3rc2pJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeFile created: C:\Windows\daxjjwrfm\nozyy3rc2pJump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exeFile created: C:\Windows\daxjjwrfm\nozyy3rc2pJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeFile deleted: C:\Windows\daxjjwrfm\nozyy3rc2pJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003830600_2_00383060
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003724900_2_00372490
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003700C80_2_003700C8
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0037B7440_2_0037B744
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003744200_2_00374420
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0038A0500_2_0038A050
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003908500_2_00390850
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003644A00_2_003644A0
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003658940_2_00365894
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003755200_2_00375520
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003859500_2_00385950
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003829500_2_00382950
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003801B00_2_003801B0
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003845A00_2_003845A0
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003885E00_2_003885E0
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_00388DD60_2_00388DD6
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003619C00_2_003619C0
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_00374A290_2_00374A29
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0038FE100_2_0038FE10
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0037C6400_2_0037C640
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0038EEB00_2_0038EEB0
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_00383AF00_2_00383AF0
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0037D2C00_2_0037D2C0
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003657300_2_00365730
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_00375F500_2_00375F50
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0038DB500_2_0038DB50
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003803B90_2_003803B9
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0038ABB00_2_0038ABB0
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003777A10_2_003777A1
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_00388BA00_2_00388BA0
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_00385B980_2_00385B98
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_00362F900_2_00362F90
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_00385B960_2_00385B96
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003777F00_2_003777F0
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0038B7F00_2_0038B7F0
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0038CBE00_2_0038CBE0
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_00387BD00_2_00387BD0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000730602_2_00073060
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000624902_2_00062490
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000600C82_2_000600C8
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_0006B7442_2_0006B744
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_0007DB502_2_0007DB50
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_0007CBE02_2_0007CBE0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000644202_2_00064420
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_0007A0502_2_0007A050
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000808502_2_00080850
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000558942_2_00055894
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000544A02_2_000544A0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000655202_2_00065520
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000759502_2_00075950
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000729502_2_00072950
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000745A02_2_000745A0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000701B02_2_000701B0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000519C02_2_000519C0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_00078DD62_2_00078DD6
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000785E02_2_000785E0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_0007FE102_2_0007FE10
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_00064A292_2_00064A29
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_0006C6402_2_0006C640
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_0007EEB02_2_0007EEB0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_0006D2C02_2_0006D2C0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_00073AF02_2_00073AF0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000557302_2_00055730
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_00065F502_2_00065F50
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_00075B962_2_00075B96
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_00052F902_2_00052F90
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_00075B982_2_00075B98
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_00078BA02_2_00078BA0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000677A12_2_000677A1
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_0007ABB02_2_0007ABB0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000703B92_2_000703B9
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_00077BD02_2_00077BD0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000677F02_2_000677F0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_0007B7F02_2_0007B7F0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C300C13_2_00C300C1
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C324903_2_00C32490
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C430603_2_00C43060
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C401B03_2_00C401B0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C4FE103_2_00C4FE10
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C4CBE03_2_00C4CBE0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C4DB503_2_00C4DB50
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C3B73A3_2_00C3B73A
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C258943_2_00C25894
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C244A03_2_00C244A0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C4A0503_2_00C4A050
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C508503_2_00C50850
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C344203_2_00C34420
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C219C03_2_00C219C0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C48DD63_2_00C48DD6
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C485E03_2_00C485E0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C445A03_2_00C445A0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C459503_2_00C45950
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C429503_2_00C42950
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C355203_2_00C35520
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C3D2C03_2_00C3D2C0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C43AF03_2_00C43AF0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C4EEB03_2_00C4EEB0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C3C6403_2_00C3C640
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C34A293_2_00C34A29
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C47BD03_2_00C47BD0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C377F03_2_00C377F0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C4B7F03_2_00C4B7F0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C22F903_2_00C22F90
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C45B963_2_00C45B96
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C45B983_2_00C45B98
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C377A13_2_00C377A1
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C48BA03_2_00C48BA0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C4ABB03_2_00C4ABB0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C403B93_2_00C403B9
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C35F503_2_00C35F50
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C257303_2_00C25730
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000C30604_2_000C3060
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000B24904_2_000B2490
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000B44204_2_000B4420
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000CA0504_2_000CA050
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000D08504_2_000D0850
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000A58944_2_000A5894
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000A44A04_2_000A44A0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000B55204_2_000B5520
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000C59504_2_000C5950
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000C29504_2_000C2950
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000C45A04_2_000C45A0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000C01B04_2_000C01B0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000A19C04_2_000A19C0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000C85E04_2_000C85E0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000CFE104_2_000CFE10
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000BC6404_2_000BC640
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000CEEB04_2_000CEEB0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000BD2C04_2_000BD2C0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000C3AF04_2_000C3AF0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000A57304_2_000A5730
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000B5F504_2_000B5F50
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000CDB504_2_000CDB50
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000A2F904_2_000A2F90
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000C8BA04_2_000C8BA0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000CABB04_2_000CABB0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000C7BD04_2_000C7BD0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000CCBE04_2_000CCBE0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000B77F04_2_000B77F0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000CB7F04_2_000CB7F0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C300C15_2_00C300C1
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C324905_2_00C32490
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C430605_2_00C43060
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C3B73A5_2_00C3B73A
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C258945_2_00C25894
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C244A05_2_00C244A0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C4A0505_2_00C4A050
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C508505_2_00C50850
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C344205_2_00C34420
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C219C05_2_00C219C0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C48DD65_2_00C48DD6
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C485E05_2_00C485E0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C445A05_2_00C445A0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C401B05_2_00C401B0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C459505_2_00C45950
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C429505_2_00C42950
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C355205_2_00C35520
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C3D2C05_2_00C3D2C0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C43AF05_2_00C43AF0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C4EEB05_2_00C4EEB0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C3C6405_2_00C3C640
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C4FE105_2_00C4FE10
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C34A295_2_00C34A29
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C47BD05_2_00C47BD0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C4CBE05_2_00C4CBE0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C377F05_2_00C377F0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C4B7F05_2_00C4B7F0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C22F905_2_00C22F90
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C45B965_2_00C45B96
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C45B985_2_00C45B98
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C377A15_2_00C377A1
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C48BA05_2_00C48BA0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C4ABB05_2_00C4ABB0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C403B95_2_00C403B9
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C35F505_2_00C35F50
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C4DB505_2_00C4DB50
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C257305_2_00C25730
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001230609_2_00123060
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001124909_2_00112490
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001100C89_2_001100C8
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_0011B7449_2_0011B744
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001144209_2_00114420
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_0012A0509_2_0012A050
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001308509_2_00130850
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001058949_2_00105894
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001044A09_2_001044A0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001155209_2_00115520
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001259509_2_00125950
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001229509_2_00122950
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001201B09_2_001201B0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001245A09_2_001245A0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_00128DD69_2_00128DD6
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001019C09_2_001019C0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001285E09_2_001285E0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_0012FE109_2_0012FE10
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_00114A299_2_00114A29
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_0011C6409_2_0011C640
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_0012EEB09_2_0012EEB0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_0011D2C09_2_0011D2C0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_00123AF09_2_00123AF0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001057309_2_00105730
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_00115F509_2_00115F50
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_0012DB509_2_0012DB50
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_00102F909_2_00102F90
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_00125B969_2_00125B96
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_00125B989_2_00125B98
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_0012ABB09_2_0012ABB0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001203B99_2_001203B9
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001177A19_2_001177A1
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_00128BA09_2_00128BA0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_00127BD09_2_00127BD0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001177F09_2_001177F0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_0012B7F09_2_0012B7F0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_0012CBE09_2_0012CBE0
Source: 66HKNPT1fl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 66HKNPT1fl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ew4bjmdlid9hjn8.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: qbpabupgx.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tkjnbticppc.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal96.troj.winEXE@12/5@255/4
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,0_2_00378200
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,2_2_00068200
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,3_2_00C38200
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_000B8200
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,5_2_00C38200
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,9_2_00118200
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0037C250 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_0037C250
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_00385010 StartServiceCtrlDispatcherA,0_2_00385010
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_00385010 StartServiceCtrlDispatcherA,0_2_00385010
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_00075010 StartServiceCtrlDispatcherA,2_2_00075010
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C45010 StartServiceCtrlDispatcherA,3_2_00C45010
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000C5010 StartServiceCtrlDispatcherA,4_2_000C5010
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C45010 StartServiceCtrlDispatcherA,5_2_00C45010
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_00125010 StartServiceCtrlDispatcherA,9_2_00125010
Source: C:\daxjjwrfm\tkjnbticppc.exeMutant created: NULL
Source: 66HKNPT1fl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\66HKNPT1fl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 66HKNPT1fl.exeReversingLabs: Detection: 89%
Source: C:\Users\user\Desktop\66HKNPT1fl.exeFile read: C:\Users\user\Desktop\66HKNPT1fl.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\66HKNPT1fl.exe "C:\Users\user\Desktop\66HKNPT1fl.exe"
Source: C:\Users\user\Desktop\66HKNPT1fl.exeProcess created: C:\daxjjwrfm\ew4bjmdlid9hjn8.exe "C:\daxjjwrfm\ew4bjmdlid9hjn8.exe"
Source: unknownProcess created: C:\daxjjwrfm\qbpabupgx.exe C:\daxjjwrfm\qbpabupgx.exe
Source: C:\daxjjwrfm\qbpabupgx.exeProcess created: C:\daxjjwrfm\tkjnbticppc.exe mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeProcess created: C:\daxjjwrfm\qbpabupgx.exe "C:\daxjjwrfm\qbpabupgx.exe"
Source: C:\daxjjwrfm\tkjnbticppc.exeProcess created: C:\daxjjwrfm\qbpabupgx.exe "c:\daxjjwrfm\qbpabupgx.exe"
Source: C:\daxjjwrfm\qbpabupgx.exeProcess created: C:\daxjjwrfm\tkjnbticppc.exe mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"
Source: C:\Users\user\Desktop\66HKNPT1fl.exeProcess created: C:\daxjjwrfm\ew4bjmdlid9hjn8.exe "C:\daxjjwrfm\ew4bjmdlid9hjn8.exe"Jump to behavior
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeProcess created: C:\daxjjwrfm\qbpabupgx.exe "C:\daxjjwrfm\qbpabupgx.exe"Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeProcess created: C:\daxjjwrfm\tkjnbticppc.exe mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exeProcess created: C:\daxjjwrfm\qbpabupgx.exe "c:\daxjjwrfm\qbpabupgx.exe"Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeProcess created: C:\daxjjwrfm\tkjnbticppc.exe mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"Jump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeSection loaded: wintypes.dllJump to behavior
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeSection loaded: apphelp.dllJump to behavior
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeSection loaded: sspicli.dllJump to behavior
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeSection loaded: userenv.dllJump to behavior
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeSection loaded: profapi.dllJump to behavior
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: apphelp.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: sspicli.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: profapi.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: mswsock.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: napinsp.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: wshbth.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: winrnr.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exeSection loaded: apphelp.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: sspicli.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: profapi.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: mswsock.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: napinsp.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: wshbth.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: winrnr.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0038DB50 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,0_2_0038DB50
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_00368075 push edi; iretd 0_2_00368082
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0036948D push ebx; ret 0_2_0036949F
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_00058075 push edi; iretd 2_2_00058082
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_0005948D push ebx; ret 2_2_0005949F
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C2948D push ebx; ret 3_2_00C2949F
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C28075 push edi; iretd 3_2_00C28082
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000A8075 push edi; iretd 4_2_000A8082
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000A948D push ebx; ret 4_2_000A949F
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000AC55B pushfd ; iretd 4_2_000AC568
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C2948D push ebx; ret 5_2_00C2949F
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C28075 push edi; iretd 5_2_00C28082
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_00108075 push edi; iretd 9_2_00108082
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_0010948D push ebx; ret 9_2_0010949F
Source: 66HKNPT1fl.exeStatic PE information: section name: .text entropy: 6.914886364886215
Source: ew4bjmdlid9hjn8.exe.0.drStatic PE information: section name: .text entropy: 6.914886364886215
Source: qbpabupgx.exe.2.drStatic PE information: section name: .text entropy: 6.914886364886215
Source: tkjnbticppc.exe.3.drStatic PE information: section name: .text entropy: 6.914886364886215
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeFile created: C:\daxjjwrfm\qbpabupgx.exeJump to dropped file
Source: C:\Users\user\Desktop\66HKNPT1fl.exeFile created: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeJump to dropped file
Source: C:\daxjjwrfm\qbpabupgx.exeFile created: C:\daxjjwrfm\tkjnbticppc.exeJump to dropped file
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_00385010 StartServiceCtrlDispatcherA,0_2_00385010
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,0_2_0038A050
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,2_2_0007A050
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,3_2_00C4A050
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,4_2_000CA050
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,5_2_00C4A050
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,9_2_0012A050
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,2_2_0007DB50
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,3_2_00C4DB50
Source: C:\daxjjwrfm\tkjnbticppc.exeWindow / User API: threadDelayed 678Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exeWindow / User API: threadDelayed 1196Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeWindow / User API: threadDelayed 354Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-11111
Source: C:\Users\user\Desktop\66HKNPT1fl.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-11325
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-11379
Source: C:\daxjjwrfm\tkjnbticppc.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-8223
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-9333
Source: C:\daxjjwrfm\tkjnbticppc.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-7495
Source: C:\Users\user\Desktop\66HKNPT1fl.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-9767
Source: C:\daxjjwrfm\qbpabupgx.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-10336
Source: C:\daxjjwrfm\qbpabupgx.exe TID: 6880Thread sleep time: -37774s >= -30000sJump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe TID: 7116Thread sleep count: 678 > 30Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe TID: 7116Thread sleep time: -678000s >= -30000sJump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe TID: 7116Thread sleep count: 1196 > 30Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe TID: 7116Thread sleep time: -1196000s >= -30000sJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe TID: 3852Thread sleep count: 354 > 30Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe TID: 3852Thread sleep time: -17700000s >= -30000sJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe TID: 3852Thread sleep time: -50000s >= -30000sJump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe TID: 1016Thread sleep count: 44 > 30Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe TID: 1016Thread sleep time: -44000s >= -30000sJump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeLast function: Thread delayed
Source: C:\daxjjwrfm\qbpabupgx.exeLast function: Thread delayed
Source: C:\daxjjwrfm\qbpabupgx.exeLast function: Thread delayed
Source: C:\daxjjwrfm\tkjnbticppc.exeLast function: Thread delayed
Source: C:\daxjjwrfm\tkjnbticppc.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003660A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003660A0
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeCode function: 2_2_000560A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,2_2_000560A0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 3_2_00C260A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,3_2_00C260A0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 4_2_000A60A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,4_2_000A60A0
Source: C:\daxjjwrfm\qbpabupgx.exeCode function: 5_2_00C260A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,5_2_00C260A0
Source: C:\daxjjwrfm\tkjnbticppc.exeCode function: 9_2_001060A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,9_2_001060A0
Source: C:\daxjjwrfm\qbpabupgx.exeThread delayed: delay time: 50000Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exeThread delayed: delay time: 50000Jump to behavior
Source: qbpabupgx.exe, 00000003.00000002.2929888001.000000000138A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: ew4bjmdlid9hjn8.exe, 00000002.00000002.2169583902.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, qbpabupgx.exe, 00000008.00000002.3398382691.0000000000F6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\66HKNPT1fl.exeAPI call chain: ExitProcess graph end nodegraph_0-9389
Source: C:\Users\user\Desktop\66HKNPT1fl.exeAPI call chain: ExitProcess graph end nodegraph_0-9349
Source: C:\Users\user\Desktop\66HKNPT1fl.exeAPI call chain: ExitProcess graph end nodegraph_0-9401
Source: C:\Users\user\Desktop\66HKNPT1fl.exeAPI call chain: ExitProcess graph end nodegraph_0-9502
Source: C:\Users\user\Desktop\66HKNPT1fl.exeAPI call chain: ExitProcess graph end nodegraph_0-10301
Source: C:\Users\user\Desktop\66HKNPT1fl.exeAPI call chain: ExitProcess graph end nodegraph_0-9513
Source: C:\Users\user\Desktop\66HKNPT1fl.exeAPI call chain: ExitProcess graph end nodegraph_0-9331
Source: C:\Users\user\Desktop\66HKNPT1fl.exeAPI call chain: ExitProcess graph end nodegraph_0-9546
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeAPI call chain: ExitProcess graph end nodegraph_2-9379
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeAPI call chain: ExitProcess graph end nodegraph_2-9338
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeAPI call chain: ExitProcess graph end nodegraph_2-9364
Source: C:\daxjjwrfm\qbpabupgx.exeAPI call chain: ExitProcess graph end nodegraph_3-9435
Source: C:\daxjjwrfm\qbpabupgx.exeAPI call chain: ExitProcess graph end nodegraph_3-9417
Source: C:\daxjjwrfm\qbpabupgx.exeAPI call chain: ExitProcess graph end nodegraph_3-9378
Source: C:\daxjjwrfm\qbpabupgx.exeAPI call chain: ExitProcess graph end nodegraph_3-9583
Source: C:\daxjjwrfm\qbpabupgx.exeAPI call chain: ExitProcess graph end nodegraph_3-9403
Source: C:\daxjjwrfm\qbpabupgx.exeAPI call chain: ExitProcess graph end nodegraph_5-9408
Source: C:\daxjjwrfm\qbpabupgx.exeAPI call chain: ExitProcess graph end nodegraph_5-9424
Source: C:\daxjjwrfm\qbpabupgx.exeAPI call chain: ExitProcess graph end nodegraph_5-9370
Source: C:\daxjjwrfm\qbpabupgx.exeAPI call chain: ExitProcess graph end nodegraph_5-9395
Source: C:\daxjjwrfm\tkjnbticppc.exeAPI call chain: ExitProcess graph end node
Source: C:\daxjjwrfm\tkjnbticppc.exeAPI call chain: ExitProcess graph end node
Source: C:\daxjjwrfm\tkjnbticppc.exeAPI call chain: ExitProcess graph end node
Source: C:\daxjjwrfm\tkjnbticppc.exeAPI call chain: ExitProcess graph end node
Source: C:\daxjjwrfm\tkjnbticppc.exeAPI call chain: ExitProcess graph end node
Source: C:\daxjjwrfm\tkjnbticppc.exeAPI call chain: ExitProcess graph end node
Source: C:\daxjjwrfm\tkjnbticppc.exeAPI call chain: ExitProcess graph end node
Source: C:\daxjjwrfm\tkjnbticppc.exeAPI call chain: ExitProcess graph end node
Source: C:\daxjjwrfm\qbpabupgx.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0038DB50 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,0_2_0038DB50
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0037C520 GetProcessHeap,RtlFreeHeap,0_2_0037C520
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_0038C640 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0038C640
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_003899B0 GetSystemTime,GetTickCount,0_2_003899B0
Source: C:\Users\user\Desktop\66HKNPT1fl.exeCode function: 0_2_00372490 GetVersionExA,CreateDirectoryA,DeleteFileA,RemoveDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,GetTempPathA,CreateDirectoryA,GetTempPathA,SetFileAttributesA,0_2_00372490
Source: C:\daxjjwrfm\ew4bjmdlid9hjn8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Service Execution		4
Windows Service		4
Windows Service		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		1
DLL Side-Loading		1
Process Injection		11
Virtualization/Sandbox Evasion		LSASS Memory111
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Process Injection		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture2
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Software Packing		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Service Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync1
System Network Configuration Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
File and Directory Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow4
System Information Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1551208 Sample: 66HKNPT1fl.exe Startdate: 07/11/2024 Architecture: WINDOWS Score: 96 34 variousinstead.net 2->34 36 variousbright.net 2->36 38 169 other IPs or domains 2->38 52 Suricata IDS alerts for network traffic 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 3 other signatures 2->58 9 qbpabupgx.exe 10 2->9         started        14 66HKNPT1fl.exe 6 2->14         started        signatures3 process4 dnsIp5 40 degreedaughter.net 85.214.228.140, 61213, 80 STRATOSTRATOAGDE Germany 9->40 42 7450.bodis.com 199.59.243.227, 54124, 61162, 61196 BODIS-NJUS United States 9->42 44 2 other IPs or domains 9->44 30 C:\daxjjwrfm\tkjnbticppc.exe, PE32 9->30 dropped 60 Antivirus detection for dropped file 9->60 62 Multi AV Scanner detection for dropped file 9->62 64 Machine Learning detection for dropped file 9->64 16 tkjnbticppc.exe 4 9->16         started        32 C:\daxjjwrfm\ew4bjmdlid9hjn8.exe, PE32 14->32 dropped 19 ew4bjmdlid9hjn8.exe 10 14->19         started        file6 signatures7 process8 file9 22 qbpabupgx.exe 8 16->22         started        28 C:\daxjjwrfm\qbpabupgx.exe, PE32 19->28 dropped 46 Antivirus detection for dropped file 19->46 48 Multi AV Scanner detection for dropped file 19->48 50 Machine Learning detection for dropped file 19->50 24 qbpabupgx.exe 4 19->24         started        signatures10 process11 process12 26 tkjnbticppc.exe 4 22->26         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
66HKNPT1fl.exe89%ReversingLabsWin32.Trojan.Bayrob
66HKNPT1fl.exe100%AviraHEUR/AGEN.1318578
66HKNPT1fl.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\daxjjwrfm\qbpabupgx.exe100%AviraHEUR/AGEN.1318578
C:\daxjjwrfm\ew4bjmdlid9hjn8.exe100%AviraHEUR/AGEN.1318578
C:\daxjjwrfm\tkjnbticppc.exe100%AviraHEUR/AGEN.1318578
C:\daxjjwrfm\qbpabupgx.exe100%Joe Sandbox ML
C:\daxjjwrfm\ew4bjmdlid9hjn8.exe100%Joe Sandbox ML
C:\daxjjwrfm\tkjnbticppc.exe100%Joe Sandbox ML
C:\daxjjwrfm\ew4bjmdlid9hjn8.exe89%ReversingLabsWin32.Trojan.Bayrob
C:\daxjjwrfm\qbpabupgx.exe89%ReversingLabsWin32.Trojan.Bayrob
C:\daxjjwrfm\tkjnbticppc.exe89%ReversingLabsWin32.Trojan.Bayrob

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
degreedaughter.net
85.214.228.140
truefalse
    		high
    7450.bodis.com
    		199.59.243.227
    		truefalse
      		high
      gentleanother.net
      		54.244.188.177
      		truefalse
        		high
        returnbottle.net
        		18.143.155.63
        		truefalse
          		high
          pleasantinstead.net
          		18.143.155.63
          		truefalse
            		high
            leaderstream.net
            		unknown
            		unknowntrue
              		unknown
              forwardpeople.net
              		unknown
              		unknowntrue
                		unknown
                degreeanother.net
                		unknown
                		unknowntrue
                  		unknown
                  degreeexplain.net
                  		unknown
                  		unknowntrue
                    		unknown
                    heaveninside.net
                    		unknown
                    		unknowntrue
                      		unknown
                      answerappear.net
                      		unknown
                      		unknowntrue
                        		unknown
                        heavybusiness.net
                        		unknown
                        		unknowntrue
                          		unknown
                          pleasantinside.net
                          		unknown
                          		unknowntrue
                            		unknown
                            requirebusiness.net
                            		unknown
                            		unknowntrue
                              		unknown
                              forwardinside.net
                              		unknown
                              		unknowntrue
                                		unknown
                                glassmanner.net
                                		unknown
                                		unknowntrue
                                  		unknown
                                  answerexplain.net
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    orderinside.net
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      variousappear.net
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        returnbright.net
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          difficultanother.net
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            heavyinside.net
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              forwardready.net
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                glassdaughter.net
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  necessarymanner.net
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    leadernothing.net
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      answeranother.net
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        leadermanner.net
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          heavybottle.net
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            heavenbright.net
                                                            		unknown
                                                            		unknowntrue
                                                              		unknown
                                                              heavydivide.net
                                                              		unknown
                                                              		unknowntrue
                                                                		unknown
                                                                degreebrown.net
                                                                		unknown
                                                                		unknowntrue
                                                                  		unknown
                                                                  gentleinstead.net
                                                                  		unknown
                                                                  		unknowntrue
                                                                    		unknown
                                                                    glassanother.net
                                                                    		unknown
                                                                    		unknowntrue
                                                                      		unknown
                                                                      heavenanother.net
                                                                      		unknown
                                                                      		unknowntrue
                                                                        		unknown
                                                                        difficultmanner.net
                                                                        		unknown
                                                                        		unknowntrue
                                                                          		unknown
                                                                          glassexplain.net
                                                                          		unknown
                                                                          		unknowntrue
                                                                            		unknown
                                                                            requireinside.net
                                                                            		unknown
                                                                            		unknowntrue
                                                                              		unknown
                                                                              heavenexplain.net
                                                                              		unknown
                                                                              		unknowntrue
                                                                                		unknown
                                                                                forwardbusiness.net
                                                                                		unknown
                                                                                		unknowntrue
                                                                                  		unknown
                                                                                  difficultexplain.net
                                                                                  		unknown
                                                                                  		unknowntrue
                                                                                    		unknown
                                                                                    gentleappear.net
                                                                                    		unknown
                                                                                    		unknowntrue
                                                                                      		unknown
                                                                                      pleasantbright.net
                                                                                      		unknown
                                                                                      		unknowntrue
                                                                                        		unknown
                                                                                        returnexplain.net
                                                                                        		unknown
                                                                                        		unknowntrue
                                                                                          		unknown
                                                                                          gentlemanner.net
                                                                                          		unknown
                                                                                          		unknowntrue
                                                                                            		unknown
                                                                                            answerdaughter.net
                                                                                            		unknown
                                                                                            		unknowntrue
                                                                                              		unknown
                                                                                              heardinside.net
                                                                                              		unknown
                                                                                              		unknowntrue
                                                                                                		unknown
                                                                                                requiremanner.net
                                                                                                		unknown
                                                                                                		unknowntrue
                                                                                                  		unknown
                                                                                                  gentleexplain.net
                                                                                                  		unknown
                                                                                                  		unknowntrue
                                                                                                    		unknown
                                                                                                    glassappear.net
                                                                                                    		unknown
                                                                                                    		unknowntrue
                                                                                                      		unknown
                                                                                                      necessaryanother.net
                                                                                                      		unknown
                                                                                                      		unknowntrue
                                                                                                        		unknown
                                                                                                        glassinside.net
                                                                                                        		unknown
                                                                                                        		unknowntrue
                                                                                                          		unknown
                                                                                                          difficultbright.net
                                                                                                          		unknown
                                                                                                          		unknowntrue
                                                                                                            		unknown
                                                                                                            glasspeople.net
                                                                                                            		unknown
                                                                                                            		unknowntrue
                                                                                                              		unknown
                                                                                                              requireinstead.net
                                                                                                              		unknown
                                                                                                              		unknowntrue
                                                                                                                		unknown
                                                                                                                necessaryinside.net
                                                                                                                		unknown
                                                                                                                		unknowntrue
                                                                                                                  		unknown
                                                                                                                  returndivide.net
                                                                                                                  		unknown
                                                                                                                  		unknowntrue
                                                                                                                    		unknown
                                                                                                                    heardinstead.net
                                                                                                                    		unknown
                                                                                                                    		unknowntrue
                                                                                                                      		unknown
                                                                                                                      variousbright.net
                                                                                                                      		unknown
                                                                                                                      		unknowntrue
                                                                                                                        		unknown
                                                                                                                        degreebusiness.net
                                                                                                                        		unknown
                                                                                                                        		unknowntrue
                                                                                                                          		unknown
                                                                                                                          answerbusiness.net
                                                                                                                          		unknown
                                                                                                                          		unknowntrue
                                                                                                                            		unknown
                                                                                                                            heavenbusiness.net
                                                                                                                            		unknown
                                                                                                                            		unknowntrue
                                                                                                                              		unknown
                                                                                                                              gentledivide.net
                                                                                                                              		unknown
                                                                                                                              		unknowntrue
                                                                                                                                		unknown
                                                                                                                                variousinstead.net
                                                                                                                                		unknown
                                                                                                                                		unknowntrue
                                                                                                                                  		unknown
                                                                                                                                  gentlestream.net
                                                                                                                                  		unknown
                                                                                                                                  		unknowntrue
                                                                                                                                    		unknown
                                                                                                                                    pleasantmanner.net
                                                                                                                                    		unknown
                                                                                                                                    		unknowntrue
                                                                                                                                      		unknown
                                                                                                                                      necessaryappear.net
                                                                                                                                      		unknown
                                                                                                                                      		unknowntrue
                                                                                                                                        		unknown
                                                                                                                                        pleasantbusiness.net
                                                                                                                                        		unknown
                                                                                                                                        		unknowntrue
                                                                                                                                          		unknown
                                                                                                                                          heardbright.net
                                                                                                                                          		unknown
                                                                                                                                          		unknowntrue
                                                                                                                                            		unknown
                                                                                                                                            heavenbottle.net
                                                                                                                                            		unknown
                                                                                                                                            		unknowntrue
                                                                                                                                              		unknown
                                                                                                                                              heavynothing.net
                                                                                                                                              		unknown
                                                                                                                                              		unknowntrue
                                                                                                                                                		unknown
                                                                                                                                                gentlebusiness.net
                                                                                                                                                		unknown
                                                                                                                                                		unknowntrue
                                                                                                                                                  		unknown
                                                                                                                                                  ordermanner.net
                                                                                                                                                  		unknown
                                                                                                                                                  		unknowntrue
                                                                                                                                                    		unknown
                                                                                                                                                    leaderbottle.net
                                                                                                                                                    		unknown
                                                                                                                                                    		unknowntrue
                                                                                                                                                      		unknown
                                                                                                                                                      pleasantanother.net
                                                                                                                                                      		unknown
                                                                                                                                                      		unknowntrue
                                                                                                                                                        		unknown
                                                                                                                                                        heavyanother.net
                                                                                                                                                        		unknown
                                                                                                                                                        		unknowntrue
                                                                                                                                                          		unknown
                                                                                                                                                          degreeinstead.net
                                                                                                                                                          		unknown
                                                                                                                                                          		unknowntrue
                                                                                                                                                            		unknown
                                                                                                                                                            degreepeople.net
                                                                                                                                                            		unknown
                                                                                                                                                            		unknowntrue
                                                                                                                                                              		unknown
                                                                                                                                                              answerready.net
                                                                                                                                                              		unknown
                                                                                                                                                              		unknowntrue
                                                                                                                                                                		unknown
                                                                                                                                                                answerbright.net
                                                                                                                                                                		unknown
                                                                                                                                                                		unknowntrue
                                                                                                                                                                  		unknown
                                                                                                                                                                  heavennothing.net
                                                                                                                                                                  		unknown
                                                                                                                                                                  		unknowntrue
                                                                                                                                                                    		unknown
                                                                                                                                                                    returninside.net
                                                                                                                                                                    		unknown
                                                                                                                                                                    		unknowntrue
                                                                                                                                                                      		unknown
                                                                                                                                                                      forwardbright.net
                                                                                                                                                                      		unknown
                                                                                                                                                                      		unknowntrue
                                                                                                                                                                        		unknown
                                                                                                                                                                        difficultinside.net
                                                                                                                                                                        		unknown
                                                                                                                                                                        		unknowntrue
                                                                                                                                                                          		unknown
                                                                                                                                                                          heavybright.net
                                                                                                                                                                          		unknown
                                                                                                                                                                          		unknowntrue
                                                                                                                                                                            		unknown
                                                                                                                                                                            leaderanother.net
                                                                                                                                                                            		unknown
                                                                                                                                                                            		unknowntrue
                                                                                                                                                                              		unknown
                                                                                                                                                                              returninstead.net
                                                                                                                                                                              		unknown
                                                                                                                                                                              		unknowntrue
                                                                                                                                                                                		unknown
                                                                                                                                                                                difficultinstead.net
                                                                                                                                                                                		unknown
                                                                                                                                                                                		unknowntrue
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  heavenappear.net
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  		unknowntrue
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    answerinside.net
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    		unknowntrue
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      degreebright.net
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      		unknowntrue
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        forwardbrown.net
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        		unknowntrue
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          heavyinstead.net
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          		unknowntrue
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            gentleinside.net
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            		unknowntrue
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              heardexplain.net
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              		unknowntrue
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                heavyappear.net
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                		unknowntrue
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  answerpeople.net
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  		unknowntrue
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    pleasantexplain.net
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    		unknowntrue
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      requireexplain.net
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      		unknowntrue
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        orderappear.net
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        		unknowntrue
                                                                                                                                                                                                          		unknown

                                                                                                                                                                                                          URLs from Memory and Binaries

                                                                                                                                                                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                                                                                                                                                                          https://www.google.comqbpabupgx.exe, 00000003.00000002.2929888001.000000000138A000.00000004.00000020.00020000.00000000.sdmp, qbpabupgx.exe, 00000008.00000002.3398382691.0000000000F6F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high

                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                            18.143.155.63
                                                                                                                                                                                                            		returnbottle.netUnited States
                                                                                                                                                                                                            		16509AMAZON-02USfalse
                                                                                                                                                                                                            85.214.228.140
                                                                                                                                                                                                            		degreedaughter.netGermany
                                                                                                                                                                                                            		6724STRATOSTRATOAGDEfalse
                                                                                                                                                                                                            199.59.243.227
                                                                                                                                                                                                            		7450.bodis.comUnited States
                                                                                                                                                                                                            		395082BODIS-NJUSfalse
                                                                                                                                                                                                            54.244.188.177
                                                                                                                                                                                                            		gentleanother.netUnited States
                                                                                                                                                                                                            		16509AMAZON-02USfalse

                                                                                                                                                                                                            General Information

                                                                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                            Analysis ID:1551208
                                                                                                                                                                                                            Start date and time:2024-11-07 15:40:56 +01:00
                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                            Overall analysis duration:0h 6m 7s
                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                            Number of analysed new started processes analysed:10
                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                            Sample name:66HKNPT1fl.exe
                                                                                                                                                                                                            renamed because original name is a hash value
                                                                                                                                                                                                            Original Sample Name:93469d74887267a8fbeed3a59094ddfbe12c991d800b4011b1ce5be62f6e27f3.exe
                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                            Classification:mal96.troj.winEXE@12/5@255/4
                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                            • Successful, ratio: 85%
                                                                                                                                                                                                            • Number of executed functions: 80
                                                                                                                                                                                                            • Number of non-executed functions: 111
                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                            • VT rate limit hit for: 66HKNPT1fl.exe

                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                            09:42:24API Interceptor1856x Sleep call for process: tkjnbticppc.exe modified
                                                                                                                                                                                                            09:43:10API Interceptor417x Sleep call for process: qbpabupgx.exe modified

                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                            IPs

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            18.143.155.63PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • pleasantinstead.net/index.php
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • pleasantinstead.net/index.php
                                                                                                                                                                                                            PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • returnbottle.net/index.php
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • returnbottle.net/index.php
                                                                                                                                                                                                            DBROG0eWH7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • returnbottle.net/index.php
                                                                                                                                                                                                            DBROG0eWH7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • returnbottle.net/index.php
                                                                                                                                                                                                            85.214.228.140PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • degreedaughter.net/index.php
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • degreedaughter.net/index.php
                                                                                                                                                                                                            PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • degreedaughter.net/index.php
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • degreedaughter.net/index.php
                                                                                                                                                                                                            AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                                                                            • dlynankz.biz/mfjpaqkdwglsvxqo
                                                                                                                                                                                                            E_dekont.cmdGet hashmaliciousDBatLoader, Nitol, PureLog Stealer, XWormBrowse
                                                                                                                                                                                                            • dlynankz.biz/rgkgvuyxljjatio
                                                                                                                                                                                                            Y2EM7suNV5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                                            • dlynankz.biz/pio
                                                                                                                                                                                                            AsusSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • dlynankz.biz/og
                                                                                                                                                                                                            SetupRST.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • dlynankz.biz/u
                                                                                                                                                                                                            AsusSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • dlynankz.biz/eoefw
                                                                                                                                                                                                            199.59.243.227PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • glassbright.net/index.php
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • glassbright.net/index.php
                                                                                                                                                                                                            PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • variousstream.net/index.php
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • variousstream.net/index.php
                                                                                                                                                                                                            DBROG0eWH7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • variousstream.net/index.php
                                                                                                                                                                                                            DBROG0eWH7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • glassbright.net/index.php
                                                                                                                                                                                                            DHL_doc.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                            • www.adsdomain-195.click/xene/
                                                                                                                                                                                                            Wc7HGBGZfE.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                            • www.care-for-baby-1107.xyz/ev0s/
                                                                                                                                                                                                            XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                            • www.migraine-massages.pro/ym43/
                                                                                                                                                                                                            BkZqIS5vlv.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                            • www.deepfy.xyz/jlkn/

                                                                                                                                                                                                            Domains

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            gentleanother.netPORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 54.244.188.177
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 54.244.188.177
                                                                                                                                                                                                            PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 54.244.188.177
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 54.244.188.177
                                                                                                                                                                                                            returnbottle.netPORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 18.143.155.63
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 18.143.155.63
                                                                                                                                                                                                            PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 18.143.155.63
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 18.143.155.63
                                                                                                                                                                                                            DBROG0eWH7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 18.143.155.63
                                                                                                                                                                                                            DBROG0eWH7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 18.143.155.63
                                                                                                                                                                                                            degreedaughter.netPORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 85.214.228.140
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 85.214.228.140
                                                                                                                                                                                                            PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 85.214.228.140
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 85.214.228.140
                                                                                                                                                                                                            pleasantinstead.netPORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 18.143.155.63
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 18.143.155.63
                                                                                                                                                                                                            PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 18.143.155.63
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 18.143.155.63
                                                                                                                                                                                                            7450.bodis.comPORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            DBROG0eWH7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            DBROG0eWH7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            25XrVZw56S.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            25XrVZw56S.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            oUc5lyEzJy.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            JUHGSyleu7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227

                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            AMAZON-02USPORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 54.244.188.177
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 54.244.188.177
                                                                                                                                                                                                            PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 54.244.188.177
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 54.244.188.177
                                                                                                                                                                                                            ch89yHIa99.exeGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                            • 13.35.58.111
                                                                                                                                                                                                            ub7ZX9i3k6.exeGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                            • 13.35.58.86
                                                                                                                                                                                                            uupEsxBhAI.exeGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                            • 13.35.58.78
                                                                                                                                                                                                            yfM67N9UUL.exeGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                            • 13.35.58.67
                                                                                                                                                                                                            byte.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                            • 54.112.121.173
                                                                                                                                                                                                            byte.sh4.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                            • 13.127.145.74
                                                                                                                                                                                                            STRATOSTRATOAGDEPORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 85.214.228.140
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 85.214.228.140
                                                                                                                                                                                                            PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 85.214.228.140
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 85.214.228.140
                                                                                                                                                                                                            http://googe.deGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 85.214.62.112
                                                                                                                                                                                                            debug.dbg.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                            • 85.215.233.6
                                                                                                                                                                                                            DHL_doc.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                            • 81.169.145.95
                                                                                                                                                                                                            AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                                                                            • 85.214.228.140
                                                                                                                                                                                                            E_dekont.cmdGet hashmaliciousDBatLoader, Nitol, PureLog Stealer, XWormBrowse
                                                                                                                                                                                                            • 85.214.228.140
                                                                                                                                                                                                            Y2EM7suNV5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                                            • 85.214.228.140
                                                                                                                                                                                                            BODIS-NJUSPORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            DBROG0eWH7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            DBROG0eWH7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            DHL_doc.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            Wc7HGBGZfE.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            BkZqIS5vlv.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                            • 199.59.243.227
                                                                                                                                                                                                            AMAZON-02USPORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 54.244.188.177
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 54.244.188.177
                                                                                                                                                                                                            PORgjGswYg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 54.244.188.177
                                                                                                                                                                                                            BNGj6QoBjK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 54.244.188.177
                                                                                                                                                                                                            ch89yHIa99.exeGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                            • 13.35.58.111
                                                                                                                                                                                                            ub7ZX9i3k6.exeGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                            • 13.35.58.86
                                                                                                                                                                                                            uupEsxBhAI.exeGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                            • 13.35.58.78
                                                                                                                                                                                                            yfM67N9UUL.exeGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                            • 13.35.58.67
                                                                                                                                                                                                            byte.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                            • 54.112.121.173
                                                                                                                                                                                                            byte.sh4.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                            • 13.127.145.74

                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                            C:\Windows\daxjjwrfm\nozyy3rc2p

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Desktop\66HKNPT1fl.exe
                                                                                                                                                                                                            File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):8
                                                                                                                                                                                                            Entropy (8bit):3.0
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:ej:ej
                                                                                                                                                                                                            MD5:2D0985C59DB9049A2394A00B369922BA
                                                                                                                                                                                                            SHA1:CDC3557373CD4FB044D4D63C30DC1C07FCE6EC97
                                                                                                                                                                                                            SHA-256:A22E9689649DCADDAB2A6FCE1A88B715EC53B59E48FD29B526E16E7FFA8A0CA7
                                                                                                                                                                                                            SHA-512:C2119D490AC9105DC0E488CDC1A6397E0F4F20AF9B60EF02164C1989B8B5DAD0F4F478DF909DB528E68F77087C2875E60A6FCEB7072E67C59B938F48B6A41283
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Preview:..H{y._J

                                                                                                                                                                                                            C:\daxjjwrfm\ew4bjmdlid9hjn8.exe

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Desktop\66HKNPT1fl.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):248320
                                                                                                                                                                                                            Entropy (8bit):7.1562498967433505
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3072:r/FjWEUzcSG8sGAVlElIY68MjAshfv6FKzFn8kysCdxYcYQ6OZadi6IyngAUexv6:ZF86JOvshn6FulCjl6cMWyJip
                                                                                                                                                                                                            MD5:F0D9A1E7385ED0EA2ECE3D30915163D5
                                                                                                                                                                                                            SHA1:FA25BB798E084DDFA0AD97B659B49A405FA19B22
                                                                                                                                                                                                            SHA-256:93469D74887267A8FBEED3A59094DDFBE12C991D800B4011B1CE5BE62F6E27F3
                                                                                                                                                                                                            SHA-512:50D640BB92E2E98AFD47D14DFAB9855D9F9C2D2F9CF7346FFF6F69B195F8A98232A9BCA964CF51C384F389B4FACD3CE9577E739BDF709D1F2E918A2EBB408C26
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 89%
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]..]..].V&..]..\..].....].....].Rich..].........................PE..L...d_5S.....................@.......m....... ....@..........................p............@.................................\"..P...............................tu................................................... ..h............................text............................... ..`.rdata....... ......................@..@.data........0...>..................@....reloc...v.......x...R..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                            C:\daxjjwrfm\nozyy3rc2p

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Desktop\66HKNPT1fl.exe
                                                                                                                                                                                                            File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):8
                                                                                                                                                                                                            Entropy (8bit):3.0
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:ej:ej
                                                                                                                                                                                                            MD5:2D0985C59DB9049A2394A00B369922BA
                                                                                                                                                                                                            SHA1:CDC3557373CD4FB044D4D63C30DC1C07FCE6EC97
                                                                                                                                                                                                            SHA-256:A22E9689649DCADDAB2A6FCE1A88B715EC53B59E48FD29B526E16E7FFA8A0CA7
                                                                                                                                                                                                            SHA-512:C2119D490AC9105DC0E488CDC1A6397E0F4F20AF9B60EF02164C1989B8B5DAD0F4F478DF909DB528E68F77087C2875E60A6FCEB7072E67C59B938F48B6A41283
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Preview:..H{y._J

                                                                                                                                                                                                            C:\daxjjwrfm\qbpabupgx.exe

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\daxjjwrfm\ew4bjmdlid9hjn8.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):248320
                                                                                                                                                                                                            Entropy (8bit):7.1562498967433505
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3072:r/FjWEUzcSG8sGAVlElIY68MjAshfv6FKzFn8kysCdxYcYQ6OZadi6IyngAUexv6:ZF86JOvshn6FulCjl6cMWyJip
                                                                                                                                                                                                            MD5:F0D9A1E7385ED0EA2ECE3D30915163D5
                                                                                                                                                                                                            SHA1:FA25BB798E084DDFA0AD97B659B49A405FA19B22
                                                                                                                                                                                                            SHA-256:93469D74887267A8FBEED3A59094DDFBE12C991D800B4011B1CE5BE62F6E27F3
                                                                                                                                                                                                            SHA-512:50D640BB92E2E98AFD47D14DFAB9855D9F9C2D2F9CF7346FFF6F69B195F8A98232A9BCA964CF51C384F389B4FACD3CE9577E739BDF709D1F2E918A2EBB408C26
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 89%
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]..]..].V&..]..\..].....].....].Rich..].........................PE..L...d_5S.....................@.......m....... ....@..........................p............@.................................\"..P...............................tu................................................... ..h............................text............................... ..`.rdata....... ......................@..@.data........0...>..................@....reloc...v.......x...R..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                            C:\daxjjwrfm\tkjnbticppc.exe

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\daxjjwrfm\qbpabupgx.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):248320
                                                                                                                                                                                                            Entropy (8bit):7.1562498967433505
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3072:r/FjWEUzcSG8sGAVlElIY68MjAshfv6FKzFn8kysCdxYcYQ6OZadi6IyngAUexv6:ZF86JOvshn6FulCjl6cMWyJip
                                                                                                                                                                                                            MD5:F0D9A1E7385ED0EA2ECE3D30915163D5
                                                                                                                                                                                                            SHA1:FA25BB798E084DDFA0AD97B659B49A405FA19B22
                                                                                                                                                                                                            SHA-256:93469D74887267A8FBEED3A59094DDFBE12C991D800B4011B1CE5BE62F6E27F3
                                                                                                                                                                                                            SHA-512:50D640BB92E2E98AFD47D14DFAB9855D9F9C2D2F9CF7346FFF6F69B195F8A98232A9BCA964CF51C384F389B4FACD3CE9577E739BDF709D1F2E918A2EBB408C26
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 89%
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]..]..].V&..]..\..].....].....].Rich..].........................PE..L...d_5S.....................@.......m....... ....@..........................p............@.................................\"..P...............................tu................................................... ..h............................text............................... ..`.rdata....... ......................@..@.data........0...>..................@....reloc...v.......x...R..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Entropy (8bit):7.1562498967433505
                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                            File name:66HKNPT1fl.exe
                                                                                                                                                                                                            File size:248'320 bytes
                                                                                                                                                                                                            MD5:f0d9a1e7385ed0ea2ece3d30915163d5
                                                                                                                                                                                                            SHA1:fa25bb798e084ddfa0ad97b659b49a405fa19b22
                                                                                                                                                                                                            SHA256:93469d74887267a8fbeed3a59094ddfbe12c991d800b4011b1ce5be62f6e27f3
                                                                                                                                                                                                            SHA512:50d640bb92e2e98afd47d14dfab9855d9f9c2d2f9cf7346fff6f69b195f8a98232a9bca964cf51c384f389b4facd3ce9577e739bdf709d1f2e918a2ebb408c26
                                                                                                                                                                                                            SSDEEP:3072:r/FjWEUzcSG8sGAVlElIY68MjAshfv6FKzFn8kysCdxYcYQ6OZadi6IyngAUexv6:ZF86JOvshn6FulCjl6cMWyJip
                                                                                                                                                                                                            TLSH:FE34AD66D6100137DC5125FD866C3BB2EA5E9278BF1811C3839636E82CB0AD9DA3774F
                                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]...]...]..V&...]...\...].......].......].Rich..].........................PE..L...d_5S.....................@.......m.....

                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                            Icon Hash:00928e8e8686b000

                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Entrypoint:0x426d10
                                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                            Time Stamp:0x53355F64 [Fri Mar 28 11:39:16 2014 UTC]
                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                            OS Version Major:5
                                                                                                                                                                                                            OS Version Minor:1
                                                                                                                                                                                                            File Version Major:5
                                                                                                                                                                                                            File Version Minor:1
                                                                                                                                                                                                            Subsystem Version Major:5
                                                                                                                                                                                                            Subsystem Version Minor:1
                                                                                                                                                                                                            Import Hash:24940cd2712c7c6b52de6089584e9809

                                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                            mov ax, word ptr [00447212h]
                                                                                                                                                                                                            mov ecx, dword ptr [0043CA38h]
                                                                                                                                                                                                            cwde
                                                                                                                                                                                                            push esi
                                                                                                                                                                                                            or esi, FFFFFFFFh
                                                                                                                                                                                                            add word ptr [00447212h], si
                                                                                                                                                                                                            add ecx, eax
                                                                                                                                                                                                            cmp ecx, B13E0982h
                                                                                                                                                                                                            jl 00007F4FD4F38C9Bh
                                                                                                                                                                                                            mov dx, word ptr [0044DE84h]
                                                                                                                                                                                                            mov ecx, dword ptr [00444F1Ch]
                                                                                                                                                                                                            movsx eax, dx
                                                                                                                                                                                                            and ecx, eax
                                                                                                                                                                                                            mov word ptr [0044DE84h], cx
                                                                                                                                                                                                            call 00007F4FD4F14E25h
                                                                                                                                                                                                            add dword ptr [0043DF88h], DEFAFFFCh
                                                                                                                                                                                                            call 00007F4FD4F14006h
                                                                                                                                                                                                            add dword ptr [00441E54h], esi
                                                                                                                                                                                                            inc word ptr [0044C23Eh]
                                                                                                                                                                                                            mov dx, word ptr [0044C23Eh]
                                                                                                                                                                                                            mov ecx, dword ptr [00441E54h]
                                                                                                                                                                                                            movsx eax, dx
                                                                                                                                                                                                            add eax, 6DA8752Dh
                                                                                                                                                                                                            or ecx, eax
                                                                                                                                                                                                            cmp ecx, 40440043h
                                                                                                                                                                                                            jnle 00007F4FD4F38CACh
                                                                                                                                                                                                            mov eax, dword ptr [004381ECh]
                                                                                                                                                                                                            mov edx, dword ptr [00438A5Ch]
                                                                                                                                                                                                            and eax, F5B7F8B7h
                                                                                                                                                                                                            xor eax, C6284EF0h
                                                                                                                                                                                                            sub edx, 4E4EEEC7h
                                                                                                                                                                                                            cmp eax, edx
                                                                                                                                                                                                            jnl 00007F4FD4F38C8Dh
                                                                                                                                                                                                            mov eax, dword ptr [004432A4h]
                                                                                                                                                                                                            mov ecx, dword ptr [0044634Ch]
                                                                                                                                                                                                            push 00432170h
                                                                                                                                                                                                            push 00432168h
                                                                                                                                                                                                            call 00007F4FD4F372C1h
                                                                                                                                                                                                            and dword ptr [00443E18h], 6DD9F72Ah
                                                                                                                                                                                                            add esp, 08h
                                                                                                                                                                                                            call 00007F4FD4F2A50Fh
                                                                                                                                                                                                            mov ax, word ptr [eax]

                                                                                                                                                                                                            Rich Headers

                                                                                                                                                                                                            Programming Language:
                                                                                                                                                                                                            • [IMP] VS2005 build 50727
                                                                                                                                                                                                            • [C++] VS2008 build 21022
                                                                                                                                                                                                            • [LNK] VS2008 build 21022

                                                                                                                                                                                                            Data Directories

                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3225c0x50.rdata
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x4f0000x7574.reloc
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x320000x168.rdata
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                            Sections

                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                            .text0x10000x302ca0x3040021f0700076e95abb4de47cbbef8cda48False0.7262437257124352data6.914886364886215IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .rdata0x320000xa040xc00fbf38fd25ffe3b995354a30109bba30bFalse0.3968098958333333data4.798427724315568IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .data0x330000x1bb840x3e008fb1345fac8c46c706ce75db7ee26be4False0.9133064516129032data7.277764464021273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                            .reloc0x4f0000x76c80x78000e5310d3716de90a99d1ab24adebaa09False0.7573893229166667data6.814004846803548IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                            Imports

                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                            GDI32.dllUpdateColors, GetBkColor, GetFontUnicodeRanges, GetFontLanguageInfo, GetTextCharset, SetTextJustification, GetTextAlign, GetStretchBltMode, SetTextAlign, GetClipRgn, GetSystemPaletteUse, GetRandomRgn, SetPixel, GetPolyFillMode, GetDCPenColor, SetTextColor, GetPixelFormat, GetMetaRgn, GetNearestColor, GetTextColor, GetNearestPaletteIndex, GetDeviceCaps, GetMapMode, GetTextCharsetInfo, GetObjectType, GetGraphicsMode, GetTextCharacterExtra
                                                                                                                                                                                                            USER32.dllSetFocus, LoadIconA, DrawTextA, GetDlgItem, GetDlgItemInt, GetPropA, GetMenuItemID, EndPaint, GetWindowDC, EnableWindow, SetWindowTextA, GetInputState, GetMenu, MoveWindow, CheckDlgButton, GetMenuCheckMarkDimensions, EndDialog, WindowFromDC, RemovePropA, IsWindowUnicode, SetDlgItemTextA, PostMessageA, GetScrollPos, BeginPaint, SendMessageA, IsWindowEnabled, GetWindowContextHelpId, GetWindowLongA, GetKeyboardType, GetMenuContextHelpId, GetMenuItemCount
                                                                                                                                                                                                            KERNEL32.dllGetProcAddress, GetFileType, GetCurrentProcessId, CloseHandle, GlobalHandle, GetCurrentThreadId, IsDebuggerPresent, SetFilePointer, IsProcessorFeaturePresent, LocalFlags, LockResource, GetCurrentProcess, GetModuleHandleA, MoveFileA, DeleteFileA, QueryPerformanceCounter, GlobalSize, GetTickCount, GlobalFlags, GetFileTime, GetLastError, FindResourceA, FindClose, FlushFileBuffers, GlobalAlloc, LoadResource, GetStdHandle, GetProcessHeap, HeapAlloc

                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                            2024-11-07T15:41:54.258875+01002811542ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)11.1.1.153192.168.2.657116UDP
                                                                                                                                                                                                            2024-11-07T15:41:54.378741+01002018316ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses11.1.1.153192.168.2.657769UDP
                                                                                                                                                                                                            2024-11-07T15:41:55.658532+01002820680ETPRO MALWARE W32/Bayrob Attempted Checkin 21192.168.2.661162199.59.243.22780TCP
                                                                                                                                                                                                            2024-11-07T15:41:57.420782+01002815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort1192.168.2.66116418.143.155.6380TCP
                                                                                                                                                                                                            2024-11-07T15:41:57.817092+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.143.155.6380192.168.2.661164TCP
                                                                                                                                                                                                            2024-11-07T15:41:57.817092+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.143.155.6380192.168.2.661164TCP
                                                                                                                                                                                                            2024-11-07T15:42:00.835671+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz154.244.188.17780192.168.2.661185TCP
                                                                                                                                                                                                            2024-11-07T15:42:00.835671+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst154.244.188.17780192.168.2.661185TCP
                                                                                                                                                                                                            2024-11-07T15:42:08.521365+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.661217TCP
                                                                                                                                                                                                            2024-11-07T15:42:36.798438+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.654000TCP
                                                                                                                                                                                                            2024-11-07T15:43:37.556413+01002815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort1192.168.2.65412518.143.155.6380TCP
                                                                                                                                                                                                            2024-11-07T15:43:37.556413+01002820680ETPRO MALWARE W32/Bayrob Attempted Checkin 21192.168.2.65412518.143.155.6380TCP
                                                                                                                                                                                                            2024-11-07T15:43:42.679237+01002018316ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses11.1.1.153192.168.2.654598UDP
                                                                                                                                                                                                            2024-11-07T15:43:55.894056+01002811542ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)11.1.1.153192.168.2.652210UDP

                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.844553947 CET6116280192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.850521088 CET8061162199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.850614071 CET6116280192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.850847960 CET6116280192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.855875015 CET8061162199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.658045053 CET8061162199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.658428907 CET8061162199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.658531904 CET6116280192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.658590078 CET8061162199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.658647060 CET6116280192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.658699036 CET6116280192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.663583040 CET8061162199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.912197113 CET6116480192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.917197943 CET806116418.143.155.63192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.917280912 CET6116480192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.917365074 CET6116480192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.922625065 CET806116418.143.155.63192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.377079010 CET806116418.143.155.63192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.420782089 CET6116480192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.817091942 CET806116418.143.155.63192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.817190886 CET6116480192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.817192078 CET6116480192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.822119951 CET806116418.143.155.63192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.841775894 CET6118580192.168.2.654.244.188.177
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.847269058 CET806118554.244.188.177192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.847400904 CET6118580192.168.2.654.244.188.177
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.847522974 CET6118580192.168.2.654.244.188.177
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.852287054 CET806118554.244.188.177192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.718555927 CET806118554.244.188.177192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.764575005 CET6118580192.168.2.654.244.188.177
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.835670948 CET806118554.244.188.177192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.835767984 CET6118580192.168.2.654.244.188.177
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.835849047 CET6118580192.168.2.654.244.188.177
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.841044903 CET806118554.244.188.177192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.808871031 CET6119680192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.813946962 CET8061196199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.814026117 CET6119680192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.814074039 CET6119680192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.819205046 CET8061196199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.470746994 CET8061196199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.470777035 CET8061196199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.470973969 CET6119680192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.473345995 CET8061196199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.473407030 CET6119680192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.473450899 CET6119680192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.480953932 CET8061196199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:03.294503927 CET6120180192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:42:03.299477100 CET806120118.143.155.63192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:03.299637079 CET6120180192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:42:03.299684048 CET6120180192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:42:03.304487944 CET806120118.143.155.63192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:04.784287930 CET806120118.143.155.63192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:04.827020884 CET6120180192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.230200052 CET806120118.143.155.63192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.230439901 CET6120180192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.230503082 CET6120180192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.235357046 CET806120118.143.155.63192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.446270943 CET6121380192.168.2.685.214.228.140
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.451636076 CET806121385.214.228.140192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.451745033 CET6121380192.168.2.685.214.228.140
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.453412056 CET6121380192.168.2.685.214.228.140
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.458467007 CET806121385.214.228.140192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.339715004 CET806121385.214.228.140192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.340455055 CET6121380192.168.2.685.214.228.140
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.346086979 CET806121385.214.228.140192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.346136093 CET6121380192.168.2.685.214.228.140
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.001475096 CET5412480192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.006447077 CET8054124199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.006525040 CET5412480192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.006602049 CET5412480192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.011634111 CET8054124199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.690996885 CET8054124199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.691035032 CET8054124199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.691104889 CET5412480192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.722445011 CET8054124199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.722558022 CET5412480192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.722615004 CET5412480192.168.2.6199.59.243.227
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.727543116 CET8054124199.59.243.227192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:36.108063936 CET5412580192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:43:36.113018036 CET805412518.143.155.63192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:36.113085985 CET5412580192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:43:36.113943100 CET5412580192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:43:36.118774891 CET805412518.143.155.63192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:37.556240082 CET805412518.143.155.63192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:37.556412935 CET5412580192.168.2.618.143.155.63
                                                                                                                                                                                                            Nov 7, 2024 15:43:37.562424898 CET805412518.143.155.63192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:37.562490940 CET5412580192.168.2.618.143.155.63

                                                                                                                                                                                                            UDP Packets

                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            Nov 7, 2024 15:41:53.506658077 CET5458253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:53.543107986 CET53545821.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:53.544981956 CET5516053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:53.555422068 CET53551601.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:53.556427002 CET5347653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:53.588172913 CET53534761.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:53.588982105 CET5969753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:53.595844030 CET53596971.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.232904911 CET6033253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.243195057 CET53603321.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.248635054 CET5711653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.258874893 CET53571161.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.263756037 CET5155453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.276308060 CET53515541.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.282855034 CET5020053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.314434052 CET53502001.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.319019079 CET6294853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.330238104 CET53629481.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.337842941 CET5841253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.347049952 CET53584121.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.349253893 CET4992353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.358637094 CET53499231.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.368004084 CET5776953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.378741026 CET53577691.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.379426956 CET5710853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.389899969 CET53571081.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.390434980 CET5296753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.416484118 CET53529671.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.430154085 CET6456353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.439172029 CET53645631.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.444452047 CET6490053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.475759029 CET53649001.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.512857914 CET6262253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.829195023 CET53626221.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.659338951 CET5760453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.670730114 CET53576041.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.671514034 CET5916953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.681399107 CET53591691.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.682008028 CET6224553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.692348003 CET53622451.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.692894936 CET4928053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.724601984 CET53492801.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.725229979 CET5382453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.911421061 CET53538241.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.817819118 CET6405453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.828553915 CET53640541.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.829165936 CET6424353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.840790033 CET53642431.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.841368914 CET6376353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.850421906 CET53637631.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.851160049 CET5101053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.866318941 CET53510101.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.866940975 CET4962053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.876775980 CET53496201.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.877368927 CET5149953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.908783913 CET53514991.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.909492016 CET4991953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.918889046 CET53499191.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.919434071 CET5079053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.928412914 CET53507901.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.928946018 CET6520153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.959700108 CET53652011.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.960274935 CET6218853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.970865965 CET53621881.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.971513033 CET5913753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.001770973 CET53591371.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.002605915 CET5040153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.012409925 CET53504011.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.013202906 CET6194453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.044363022 CET53619441.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.045164108 CET6152053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.054833889 CET53615201.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.055454016 CET5812553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.065419912 CET53581251.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.066004038 CET5641853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.075436115 CET53564181.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.075938940 CET6526053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.107876062 CET53652601.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.108573914 CET5171253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.264873981 CET53517121.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.265629053 CET5127953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.296588898 CET53512791.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.297272921 CET5648453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.304090977 CET53564841.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.304574013 CET6441453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.313775063 CET53644141.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.314344883 CET5704753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.346585035 CET53570471.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.354036093 CET5510453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.386097908 CET53551041.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.387094975 CET6162953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.396900892 CET53616291.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.397530079 CET6537053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.428978920 CET53653701.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.429656982 CET6317253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.442555904 CET53631721.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.443128109 CET5787353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.453717947 CET53578731.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.454363108 CET6339653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.464113951 CET53633961.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.464747906 CET5325353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.474076986 CET53532531.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.474767923 CET5440153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.484527111 CET53544011.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.485228062 CET5337053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.516268969 CET53533701.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.518723011 CET5118553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.527909994 CET53511851.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.529160023 CET6157853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.696866035 CET53615781.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.698390961 CET5362953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.709086895 CET53536291.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.709846020 CET6082553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.723721027 CET53608251.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.724337101 CET5791353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.735677958 CET53579131.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.736354113 CET5884353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.747745991 CET53588431.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.748291969 CET5798353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.765239000 CET53579831.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.765824080 CET6169453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.798336983 CET53616941.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.799072981 CET6144253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.832793951 CET53614421.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.833936930 CET5308953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.188870907 CET53530891.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.189964056 CET5188353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.220474958 CET53518831.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.221791029 CET6253953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.384079933 CET53625391.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.397233963 CET6225853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.407087088 CET53622581.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.408514023 CET5495353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.418261051 CET53549531.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.425976992 CET5242753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.458400965 CET53524271.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.459321976 CET6492753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.489969015 CET53649271.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.490938902 CET5839253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.524666071 CET53583921.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.525670052 CET6423653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.536775112 CET53642361.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.537642956 CET5793853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.570112944 CET53579381.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.571193933 CET5324353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.603425980 CET53532431.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.604568958 CET6169653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.615341902 CET53616961.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.616296053 CET5301753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.647249937 CET53530171.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.648407936 CET5476653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.840943098 CET53547661.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.836661100 CET6236153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.867495060 CET53623611.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.868488073 CET6063653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.900161982 CET53606361.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.901371002 CET6368053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.912790060 CET53636801.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.913538933 CET5410153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.924434900 CET53541011.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.925321102 CET6133253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.940551043 CET53613321.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.941373110 CET5167153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.950934887 CET53516711.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.951792955 CET6003953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.961421967 CET53600391.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.962095976 CET5633653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.972805977 CET53563361.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.973738909 CET5224253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.989516020 CET53522421.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.990161896 CET5125153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.021161079 CET53512511.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.022108078 CET6515553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.031016111 CET53651551.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.031712055 CET6016353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.044020891 CET53601631.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.044601917 CET5126053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.054066896 CET53512601.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.054757118 CET5953053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.085321903 CET53595301.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.086224079 CET5206653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.096111059 CET53520661.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.097312927 CET5296953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.108268023 CET53529691.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.121191025 CET5259453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.151448011 CET53525941.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.152260065 CET6412853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.312693119 CET53641281.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.313704014 CET5329053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.323566914 CET53532901.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.324220896 CET6511353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.334382057 CET53651131.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.334898949 CET5238553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.350759983 CET53523851.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.351377010 CET5288753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.362658024 CET53528871.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.363173962 CET6259753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.394521952 CET53625971.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.395379066 CET5534453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.405895948 CET53553441.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.406482935 CET5520853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.416650057 CET53552081.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.417210102 CET6269653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.805315018 CET53626961.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.474060059 CET6173953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.507220030 CET53617391.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.511351109 CET5447653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.541723013 CET53544761.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.542598963 CET5856953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.573909998 CET53585691.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.574980974 CET6475353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.584532976 CET53647531.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.585282087 CET5307053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.595499992 CET53530701.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.596122980 CET6208353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.609965086 CET53620831.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.610929012 CET6108853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.851505995 CET53610881.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.852314949 CET6370153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.861774921 CET53637011.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.862653017 CET5187753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.876271963 CET53518771.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.879086971 CET4995853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.912797928 CET53499581.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.919193029 CET5158053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:03.117065907 CET53515801.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.231203079 CET6433253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.238532066 CET53643321.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.239267111 CET4939453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.270049095 CET53493941.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.296817064 CET5079253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.330167055 CET53507921.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.330936909 CET6464453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.343450069 CET53646441.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.344223976 CET6020153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.376176119 CET53602011.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.376954079 CET6266953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.387470007 CET53626691.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.388268948 CET5260953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.398643017 CET53526091.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.399561882 CET6277453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.430944920 CET53627741.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.431803942 CET5266653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.441553116 CET53526661.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.442267895 CET5973153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.452076912 CET53597311.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.452877998 CET5726753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.463351965 CET53572671.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.463956118 CET6410653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.474698067 CET53641061.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.475404978 CET6442953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.486880064 CET53644291.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.487477064 CET5247253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.498019934 CET53524721.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.498653889 CET5179953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.507431030 CET53517991.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.508066893 CET6263053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.520091057 CET53626301.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.520708084 CET5050353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.530713081 CET53505031.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.531266928 CET5472853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.540957928 CET53547281.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.541481018 CET6320953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.572529078 CET53632091.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.573386908 CET5229253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.583734035 CET53522921.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.584635019 CET6365953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.594752073 CET53636591.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.595367908 CET5299353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.605401039 CET53529931.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.606190920 CET5972853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.618357897 CET53597281.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.634835958 CET6538753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.666467905 CET53653871.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.667608976 CET5907253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.674981117 CET53590721.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.675825119 CET5885353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.706729889 CET53588531.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.707603931 CET5697253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.717257977 CET53569721.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.718173027 CET6106253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.729911089 CET53610621.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.730417013 CET4938153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.761569977 CET53493811.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.762610912 CET5742253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.772382975 CET53574221.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.773071051 CET5067953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.784383059 CET53506791.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.784909964 CET5155653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.794369936 CET53515561.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.794914007 CET6517653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.826064110 CET53651761.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.826957941 CET5218553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.836395025 CET53521851.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.837161064 CET5155153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.846688032 CET53515511.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.909682989 CET6067853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.920953035 CET53606781.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.959589958 CET5198453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.991071939 CET53519841.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.998435020 CET6209553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.007891893 CET53620951.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.013880014 CET6164653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.024072886 CET53616461.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.028636932 CET5306053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.037777901 CET53530601.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.065294981 CET5743453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.076098919 CET53574341.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.101950884 CET5842653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.133517981 CET53584261.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.154905081 CET5524453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.165941000 CET53552441.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.187683105 CET5622653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.195358992 CET53562261.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.196180105 CET5912553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.206001997 CET53591251.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.208935976 CET4957053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.298192978 CET53495701.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.341170073 CET6366453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.350570917 CET53636641.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.351458073 CET6308953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.362273932 CET53630891.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.363214016 CET6534153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.373131990 CET53653411.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.373986006 CET5587653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.381449938 CET53558761.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.382261038 CET5203853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.393147945 CET53520381.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.393755913 CET5716053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.553627968 CET53571601.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.554506063 CET6241753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.565201998 CET53624171.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.565824986 CET5886953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.597084045 CET53588691.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.597865105 CET5146553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.609004021 CET53514651.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.609813929 CET5177353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.620984077 CET53517731.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.621617079 CET6020653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.631449938 CET53602061.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:34.631880045 CET5360861162.159.36.2192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:42:35.258991003 CET53546411.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:14.115783930 CET5866653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:14.125332117 CET53586661.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:15.140620947 CET6331653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:15.150748968 CET53633161.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:16.221878052 CET5747753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:16.252557993 CET53574771.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:17.265491962 CET5720453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:17.276210070 CET53572041.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:18.292524099 CET5555353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:18.312746048 CET5555353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:18.447458982 CET53555531.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:18.447485924 CET53555531.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:19.473737001 CET6274653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:19.499171972 CET6274653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:19.505630970 CET53627461.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:19.506145954 CET53627461.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:20.515742064 CET5188553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:20.526391029 CET53518851.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:21.619050026 CET6290253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:21.629300117 CET53629021.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:22.641386032 CET5826653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:22.651343107 CET53582661.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:23.656169891 CET5438253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:23.667277098 CET53543821.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:24.842623949 CET5681053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:24.865039110 CET5681053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:24.874732971 CET53568101.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:24.874749899 CET53568101.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:25.906321049 CET5774253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:25.916416883 CET53577421.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:26.921778917 CET6323553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:26.929193974 CET53632351.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:27.937464952 CET6121653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:27.967884064 CET6121653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:27.969069958 CET53612161.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:27.975379944 CET53612161.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:28.984153986 CET6018353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:28.995719910 CET53601831.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:31.734087944 CET6190353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:31.744566917 CET53619031.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:32.749819994 CET5749253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:32.760966063 CET53574921.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:33.765551090 CET5615753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:33.796114922 CET5615753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:33.909955978 CET53561571.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:33.909981012 CET53561571.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:34.922061920 CET5826953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:34.952421904 CET5826953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:34.953933001 CET53582691.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:34.959440947 CET53582691.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:38.572472095 CET5371753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:38.581660986 CET53537171.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:39.593841076 CET6540953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:39.603759050 CET53654091.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:40.609422922 CET5385153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:40.619654894 CET53538511.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:41.625169039 CET6296553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:41.632752895 CET53629651.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:42.640528917 CET5459853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:42.671125889 CET5459853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:42.674387932 CET53545981.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:42.679236889 CET53545981.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:43.687500954 CET5441853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:43.718087912 CET5441853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:43.720408916 CET53544181.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:43.725275993 CET53544181.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:44.734496117 CET5132353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:44.764806986 CET5132353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:44.765461922 CET53513231.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:44.771636963 CET53513231.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:45.781469107 CET5418253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:45.811789036 CET5418253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:45.812875986 CET53541821.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:45.819344044 CET53541821.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:46.828219891 CET6393953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:46.838902950 CET53639391.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:47.909003019 CET6064153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:47.923378944 CET53606411.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:49.063409090 CET5518553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:49.074929953 CET53551851.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:50.046789885 CET6360053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:50.077416897 CET6360053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:50.078346968 CET53636001.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:50.085731030 CET53636001.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:51.015631914 CET6311853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:51.025511026 CET53631181.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:51.937378883 CET5805653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:51.967885017 CET5805653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:52.094109058 CET53580561.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:52.094227076 CET53580561.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:52.968643904 CET5679053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:52.999638081 CET5679053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:52.999736071 CET53567901.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:53.006853104 CET53567901.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:53.859247923 CET5275353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:53.869788885 CET53527531.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:54.687422991 CET5452953192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:54.698144913 CET53545291.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.577853918 CET5901053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.585814953 CET53590101.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.586328030 CET6392453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.608727932 CET6392453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.616806030 CET53639241.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.616846085 CET53639241.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.617536068 CET5390553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.627713919 CET53539051.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.628247976 CET6201253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.638164997 CET53620121.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.638608932 CET5351553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.648478985 CET53535151.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.648983955 CET6263553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.659259081 CET53626351.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.659866095 CET5117853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.670146942 CET53511781.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.670752048 CET6314253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.681123018 CET53631421.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.681590080 CET6059353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.702215910 CET6059353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.713984966 CET53605931.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.714024067 CET53605931.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.714850903 CET5272753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.724735022 CET53527271.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.725353003 CET6246653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.736336946 CET53624661.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.736797094 CET6142253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.764694929 CET6142253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.768152952 CET53614221.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.768954039 CET5746153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.771770954 CET53614221.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.777060986 CET53574611.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.777558088 CET6372153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.788003922 CET53637211.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.788743973 CET6094353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.811563015 CET6094353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.820233107 CET53609431.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.820415020 CET53609431.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.821124077 CET5716353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.832729101 CET53571631.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.833384037 CET5973753192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.843116045 CET53597371.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.843619108 CET5717653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.851432085 CET53571761.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.851938009 CET6031353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.874041080 CET6031353192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.884104013 CET53603131.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.884135008 CET53603131.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.884608984 CET5221053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.894056082 CET53522101.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.894685030 CET5118253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.920989990 CET5118253192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.926999092 CET53511821.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.927609921 CET5134453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.928174019 CET53511821.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.938483953 CET53513441.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.938896894 CET5009853192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.948695898 CET53500981.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.949161053 CET5238653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.967808962 CET5238653192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.981246948 CET53523861.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.981264114 CET53523861.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.982069016 CET4966553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.999038935 CET4966553192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.013346910 CET53496651.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.013364077 CET53496651.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.014215946 CET5821153192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.023665905 CET53582111.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.024429083 CET5135453192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.033694029 CET53513541.1.1.1192.168.2.6
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.034334898 CET4930053192.168.2.61.1.1.1
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.044936895 CET53493001.1.1.1192.168.2.6

                                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                            Nov 7, 2024 15:41:53.506658077 CET192.168.2.61.1.1.10x3f95Standard query (0)leaderstream.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:53.544981956 CET192.168.2.61.1.1.10xa49aStandard query (0)heavenstream.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:53.556427002 CET192.168.2.61.1.1.10xcef9Standard query (0)leadernothing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:53.588982105 CET192.168.2.61.1.1.10x258aStandard query (0)heavennothing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.232904911 CET192.168.2.61.1.1.10xece6Standard query (0)leaderbottle.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.248635054 CET192.168.2.61.1.1.10x2eefStandard query (0)heavenbottle.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.263756037 CET192.168.2.61.1.1.10x4c1dStandard query (0)leaderdivide.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.282855034 CET192.168.2.61.1.1.10x50dStandard query (0)heavendivide.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.319019079 CET192.168.2.61.1.1.10x55f5Standard query (0)heavystream.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.337842941 CET192.168.2.61.1.1.10xe935Standard query (0)gentlestream.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.349253893 CET192.168.2.61.1.1.10x9a31Standard query (0)heavynothing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.368004084 CET192.168.2.61.1.1.10x44bdStandard query (0)gentlenothing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.379426956 CET192.168.2.61.1.1.10x3f66Standard query (0)heavybottle.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.390434980 CET192.168.2.61.1.1.10xe2f7Standard query (0)gentlebottle.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.430154085 CET192.168.2.61.1.1.10xee75Standard query (0)heavydivide.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.444452047 CET192.168.2.61.1.1.10x6a61Standard query (0)gentledivide.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.512857914 CET192.168.2.61.1.1.10x92a4Standard query (0)variousstream.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.659338951 CET192.168.2.61.1.1.10x6274Standard query (0)returnstream.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.671514034 CET192.168.2.61.1.1.10x629aStandard query (0)variousnothing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.682008028 CET192.168.2.61.1.1.10xc785Standard query (0)returnnothing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.692894936 CET192.168.2.61.1.1.10x78e8Standard query (0)variousbottle.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.725229979 CET192.168.2.61.1.1.10x3618Standard query (0)returnbottle.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.817819118 CET192.168.2.61.1.1.10x5b2aStandard query (0)variousdivide.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.829165936 CET192.168.2.61.1.1.10xe04dStandard query (0)returndivide.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.841368914 CET192.168.2.61.1.1.10xb284Standard query (0)degreemanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.851160049 CET192.168.2.61.1.1.10x4012Standard query (0)forwardmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.866940975 CET192.168.2.61.1.1.10x5c16Standard query (0)degreeanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.877368927 CET192.168.2.61.1.1.10x783Standard query (0)forwardanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.909492016 CET192.168.2.61.1.1.10xb912Standard query (0)degreebusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.919434071 CET192.168.2.61.1.1.10xce6dStandard query (0)forwardbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.928946018 CET192.168.2.61.1.1.10x923Standard query (0)degreeappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.960274935 CET192.168.2.61.1.1.10x9cdbStandard query (0)forwardappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.971513033 CET192.168.2.61.1.1.10x2ce2Standard query (0)answermanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.002605915 CET192.168.2.61.1.1.10xad02Standard query (0)glassmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.013202906 CET192.168.2.61.1.1.10x5d1fStandard query (0)answeranother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.045164108 CET192.168.2.61.1.1.10x7623Standard query (0)glassanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.055454016 CET192.168.2.61.1.1.10x1698Standard query (0)answerbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.066004038 CET192.168.2.61.1.1.10x2a2aStandard query (0)glassbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.075938940 CET192.168.2.61.1.1.10x3bb9Standard query (0)answerappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.108573914 CET192.168.2.61.1.1.10x492aStandard query (0)glassappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.265629053 CET192.168.2.61.1.1.10x1199Standard query (0)difficultmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.297272921 CET192.168.2.61.1.1.10x17c5Standard query (0)heardmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.304574013 CET192.168.2.61.1.1.10x5b3eStandard query (0)difficultanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.314344883 CET192.168.2.61.1.1.10x4486Standard query (0)heardanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.354036093 CET192.168.2.61.1.1.10xdb80Standard query (0)difficultbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.387094975 CET192.168.2.61.1.1.10xe013Standard query (0)heardbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.397530079 CET192.168.2.61.1.1.10x59f8Standard query (0)difficultappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.429656982 CET192.168.2.61.1.1.10x14a4Standard query (0)heardappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.443128109 CET192.168.2.61.1.1.10x4e75Standard query (0)pleasantmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.454363108 CET192.168.2.61.1.1.10x11b6Standard query (0)necessarymanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.464747906 CET192.168.2.61.1.1.10x8834Standard query (0)pleasantanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.474767923 CET192.168.2.61.1.1.10x5f9Standard query (0)necessaryanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.485228062 CET192.168.2.61.1.1.10x39a5Standard query (0)pleasantbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.518723011 CET192.168.2.61.1.1.10xc756Standard query (0)necessarybusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.529160023 CET192.168.2.61.1.1.10x9c6eStandard query (0)pleasantappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.698390961 CET192.168.2.61.1.1.10xc432Standard query (0)necessaryappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.709846020 CET192.168.2.61.1.1.10x5057Standard query (0)ordermanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.724337101 CET192.168.2.61.1.1.10x97caStandard query (0)requiremanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.736354113 CET192.168.2.61.1.1.10x5dabStandard query (0)orderanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.748291969 CET192.168.2.61.1.1.10x3f4aStandard query (0)requireanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.765824080 CET192.168.2.61.1.1.10x85a8Standard query (0)orderbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.799072981 CET192.168.2.61.1.1.10xa003Standard query (0)requirebusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.833936930 CET192.168.2.61.1.1.10xd19cStandard query (0)orderappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.189964056 CET192.168.2.61.1.1.10xadd1Standard query (0)requireappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.221791029 CET192.168.2.61.1.1.10xff8bStandard query (0)leadermanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.397233963 CET192.168.2.61.1.1.10x7b96Standard query (0)heavenmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.408514023 CET192.168.2.61.1.1.10x8e51Standard query (0)leaderanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.425976992 CET192.168.2.61.1.1.10x326eStandard query (0)heavenanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.459321976 CET192.168.2.61.1.1.10x521bStandard query (0)leaderbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.490938902 CET192.168.2.61.1.1.10x74ffStandard query (0)heavenbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.525670052 CET192.168.2.61.1.1.10x5d00Standard query (0)leaderappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.537642956 CET192.168.2.61.1.1.10x9e08Standard query (0)heavenappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.571193933 CET192.168.2.61.1.1.10x9455Standard query (0)heavymanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.604568958 CET192.168.2.61.1.1.10x1bfStandard query (0)gentlemanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.616296053 CET192.168.2.61.1.1.10x72a5Standard query (0)heavyanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.648407936 CET192.168.2.61.1.1.10x8369Standard query (0)gentleanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.836661100 CET192.168.2.61.1.1.10x43b6Standard query (0)heavybusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.868488073 CET192.168.2.61.1.1.10x4d36Standard query (0)gentlebusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.901371002 CET192.168.2.61.1.1.10xb1b2Standard query (0)heavyappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.913538933 CET192.168.2.61.1.1.10x89eStandard query (0)gentleappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.925321102 CET192.168.2.61.1.1.10x748bStandard query (0)variousmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.941373110 CET192.168.2.61.1.1.10x29daStandard query (0)returnmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.951792955 CET192.168.2.61.1.1.10xc77Standard query (0)variousanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.962095976 CET192.168.2.61.1.1.10x2d64Standard query (0)returnanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.973738909 CET192.168.2.61.1.1.10xb08Standard query (0)variousbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.990161896 CET192.168.2.61.1.1.10xeb5eStandard query (0)returnbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.022108078 CET192.168.2.61.1.1.10x9f2aStandard query (0)variousappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.031712055 CET192.168.2.61.1.1.10xfe86Standard query (0)returnappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.044601917 CET192.168.2.61.1.1.10xc50eStandard query (0)degreeinstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.054757118 CET192.168.2.61.1.1.10x1bebStandard query (0)forwardinstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.086224079 CET192.168.2.61.1.1.10x365fStandard query (0)degreeexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.097312927 CET192.168.2.61.1.1.10x5153Standard query (0)forwardexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.121191025 CET192.168.2.61.1.1.10x1173Standard query (0)degreebright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.152260065 CET192.168.2.61.1.1.10xe4dStandard query (0)forwardbright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.313704014 CET192.168.2.61.1.1.10x676fStandard query (0)degreeinside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.324220896 CET192.168.2.61.1.1.10x7948Standard query (0)forwardinside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.334898949 CET192.168.2.61.1.1.10xfc94Standard query (0)answerinstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.351377010 CET192.168.2.61.1.1.10xe7c6Standard query (0)glassinstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.363173962 CET192.168.2.61.1.1.10xf059Standard query (0)answerexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.395379066 CET192.168.2.61.1.1.10xf159Standard query (0)glassexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.406482935 CET192.168.2.61.1.1.10xd7b6Standard query (0)answerbright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.417210102 CET192.168.2.61.1.1.10xd32bStandard query (0)glassbright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.474060059 CET192.168.2.61.1.1.10xb414Standard query (0)answerinside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.511351109 CET192.168.2.61.1.1.10x5ea2Standard query (0)glassinside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.542598963 CET192.168.2.61.1.1.10x6c1aStandard query (0)difficultinstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.574980974 CET192.168.2.61.1.1.10x39cStandard query (0)heardinstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.585282087 CET192.168.2.61.1.1.10x3c20Standard query (0)difficultexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.596122980 CET192.168.2.61.1.1.10x82f5Standard query (0)heardexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.610929012 CET192.168.2.61.1.1.10xbc59Standard query (0)difficultbright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.852314949 CET192.168.2.61.1.1.10x19b5Standard query (0)heardbright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.862653017 CET192.168.2.61.1.1.10x968Standard query (0)difficultinside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.879086971 CET192.168.2.61.1.1.10xdf5aStandard query (0)heardinside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.919193029 CET192.168.2.61.1.1.10x5c09Standard query (0)pleasantinstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.231203079 CET192.168.2.61.1.1.10x4447Standard query (0)necessaryinstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.239267111 CET192.168.2.61.1.1.10x9226Standard query (0)pleasantexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.296817064 CET192.168.2.61.1.1.10x5d6dStandard query (0)necessaryexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.330936909 CET192.168.2.61.1.1.10x2630Standard query (0)pleasantbright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.344223976 CET192.168.2.61.1.1.10x2ec1Standard query (0)necessarybright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.376954079 CET192.168.2.61.1.1.10xf397Standard query (0)pleasantinside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.388268948 CET192.168.2.61.1.1.10x7d32Standard query (0)necessaryinside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.399561882 CET192.168.2.61.1.1.10x5a85Standard query (0)orderinstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.431803942 CET192.168.2.61.1.1.10x7536Standard query (0)requireinstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.442267895 CET192.168.2.61.1.1.10x4180Standard query (0)orderexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.452877998 CET192.168.2.61.1.1.10x4e14Standard query (0)requireexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.463956118 CET192.168.2.61.1.1.10xb295Standard query (0)orderbright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.475404978 CET192.168.2.61.1.1.10x92d5Standard query (0)requirebright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.487477064 CET192.168.2.61.1.1.10x52d1Standard query (0)orderinside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.498653889 CET192.168.2.61.1.1.10x1f6fStandard query (0)requireinside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.508066893 CET192.168.2.61.1.1.10x9f60Standard query (0)leaderinstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.520708084 CET192.168.2.61.1.1.10x842cStandard query (0)heaveninstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.531266928 CET192.168.2.61.1.1.10x62b6Standard query (0)leaderexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.541481018 CET192.168.2.61.1.1.10xe965Standard query (0)heavenexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.573386908 CET192.168.2.61.1.1.10x5c7bStandard query (0)leaderbright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.584635019 CET192.168.2.61.1.1.10xf365Standard query (0)heavenbright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.595367908 CET192.168.2.61.1.1.10xfa57Standard query (0)leaderinside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.606190920 CET192.168.2.61.1.1.10xf032Standard query (0)heaveninside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.634835958 CET192.168.2.61.1.1.10xa621Standard query (0)heavyinstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.667608976 CET192.168.2.61.1.1.10xcb31Standard query (0)gentleinstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.675825119 CET192.168.2.61.1.1.10x8e69Standard query (0)heavyexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.707603931 CET192.168.2.61.1.1.10x878aStandard query (0)gentleexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.718173027 CET192.168.2.61.1.1.10x109eStandard query (0)heavybright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.730417013 CET192.168.2.61.1.1.10x3a7aStandard query (0)gentlebright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.762610912 CET192.168.2.61.1.1.10xd915Standard query (0)heavyinside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.773071051 CET192.168.2.61.1.1.10xb03fStandard query (0)gentleinside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.784909964 CET192.168.2.61.1.1.10xf7f9Standard query (0)variousinstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.794914007 CET192.168.2.61.1.1.10x8e75Standard query (0)returninstead.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.826957941 CET192.168.2.61.1.1.10x9ff8Standard query (0)variousexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.837161064 CET192.168.2.61.1.1.10x6758Standard query (0)returnexplain.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.909682989 CET192.168.2.61.1.1.10x210dStandard query (0)variousbright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.959589958 CET192.168.2.61.1.1.10x566aStandard query (0)returnbright.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.998435020 CET192.168.2.61.1.1.10x9596Standard query (0)variousinside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.013880014 CET192.168.2.61.1.1.10x7c62Standard query (0)returninside.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.028636932 CET192.168.2.61.1.1.10xf89Standard query (0)degreeready.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.065294981 CET192.168.2.61.1.1.10x5ec6Standard query (0)forwardready.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.101950884 CET192.168.2.61.1.1.10x5735Standard query (0)degreebrown.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.154905081 CET192.168.2.61.1.1.10x2db8Standard query (0)forwardbrown.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.187683105 CET192.168.2.61.1.1.10x7149Standard query (0)degreepeople.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.196180105 CET192.168.2.61.1.1.10xd749Standard query (0)forwardpeople.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.208935976 CET192.168.2.61.1.1.10x919eStandard query (0)degreedaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.341170073 CET192.168.2.61.1.1.10xde9cStandard query (0)forwarddaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.351458073 CET192.168.2.61.1.1.10xb71fStandard query (0)answerready.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.363214016 CET192.168.2.61.1.1.10x88c4Standard query (0)glassready.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.373986006 CET192.168.2.61.1.1.10xc457Standard query (0)answerbrown.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.382261038 CET192.168.2.61.1.1.10x66ddStandard query (0)glassbrown.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.393755913 CET192.168.2.61.1.1.10x5e4fStandard query (0)answerpeople.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.554506063 CET192.168.2.61.1.1.10x7f33Standard query (0)glasspeople.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.565824986 CET192.168.2.61.1.1.10x1f6fStandard query (0)answerdaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.597865105 CET192.168.2.61.1.1.10x14f4Standard query (0)glassdaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.609813929 CET192.168.2.61.1.1.10xcd4Standard query (0)difficultready.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.621617079 CET192.168.2.61.1.1.10x92b8Standard query (0)heardready.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:14.115783930 CET192.168.2.61.1.1.10x77fcStandard query (0)heavenstream.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:15.140620947 CET192.168.2.61.1.1.10xd6fdStandard query (0)leadernothing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:16.221878052 CET192.168.2.61.1.1.10x7b8fStandard query (0)heavennothing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:17.265491962 CET192.168.2.61.1.1.10xdd23Standard query (0)leaderbottle.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:18.292524099 CET192.168.2.61.1.1.10xfdeStandard query (0)heavenbottle.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:18.312746048 CET192.168.2.61.1.1.10xfdeStandard query (0)heavenbottle.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:19.473737001 CET192.168.2.61.1.1.10xd6f6Standard query (0)leaderdivide.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:19.499171972 CET192.168.2.61.1.1.10xd6f6Standard query (0)leaderdivide.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:20.515742064 CET192.168.2.61.1.1.10xccaeStandard query (0)heavendivide.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:21.619050026 CET192.168.2.61.1.1.10x9cf9Standard query (0)heavystream.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:22.641386032 CET192.168.2.61.1.1.10x44cfStandard query (0)gentlestream.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:23.656169891 CET192.168.2.61.1.1.10x582Standard query (0)heavynothing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:24.842623949 CET192.168.2.61.1.1.10x9426Standard query (0)gentlenothing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:24.865039110 CET192.168.2.61.1.1.10x9426Standard query (0)gentlenothing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:25.906321049 CET192.168.2.61.1.1.10xa933Standard query (0)heavybottle.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:26.921778917 CET192.168.2.61.1.1.10xca77Standard query (0)gentlebottle.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:27.937464952 CET192.168.2.61.1.1.10x2480Standard query (0)heavydivide.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:27.967884064 CET192.168.2.61.1.1.10x2480Standard query (0)heavydivide.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:28.984153986 CET192.168.2.61.1.1.10xf7e2Standard query (0)gentledivide.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:31.734087944 CET192.168.2.61.1.1.10x3751Standard query (0)returnstream.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:32.749819994 CET192.168.2.61.1.1.10xe96dStandard query (0)variousnothing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:33.765551090 CET192.168.2.61.1.1.10x6ea7Standard query (0)returnnothing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:33.796114922 CET192.168.2.61.1.1.10x6ea7Standard query (0)returnnothing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:34.922061920 CET192.168.2.61.1.1.10x122Standard query (0)variousbottle.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:34.952421904 CET192.168.2.61.1.1.10x122Standard query (0)variousbottle.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:38.572472095 CET192.168.2.61.1.1.10x7c35Standard query (0)variousdivide.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:39.593841076 CET192.168.2.61.1.1.10xe0f2Standard query (0)returndivide.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:40.609422922 CET192.168.2.61.1.1.10x12eStandard query (0)degreemanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:41.625169039 CET192.168.2.61.1.1.10x8d14Standard query (0)forwardmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:42.640528917 CET192.168.2.61.1.1.10x847bStandard query (0)degreeanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:42.671125889 CET192.168.2.61.1.1.10x847bStandard query (0)degreeanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:43.687500954 CET192.168.2.61.1.1.10x2f5aStandard query (0)forwardanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:43.718087912 CET192.168.2.61.1.1.10x2f5aStandard query (0)forwardanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:44.734496117 CET192.168.2.61.1.1.10xccceStandard query (0)degreebusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:44.764806986 CET192.168.2.61.1.1.10xccceStandard query (0)degreebusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:45.781469107 CET192.168.2.61.1.1.10xfec3Standard query (0)forwardbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:45.811789036 CET192.168.2.61.1.1.10xfec3Standard query (0)forwardbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:46.828219891 CET192.168.2.61.1.1.10xd05fStandard query (0)degreeappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:47.909003019 CET192.168.2.61.1.1.10x7e49Standard query (0)forwardappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:49.063409090 CET192.168.2.61.1.1.10xbdabStandard query (0)answermanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:50.046789885 CET192.168.2.61.1.1.10xec06Standard query (0)glassmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:50.077416897 CET192.168.2.61.1.1.10xec06Standard query (0)glassmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:51.015631914 CET192.168.2.61.1.1.10xbdfeStandard query (0)answeranother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:51.937378883 CET192.168.2.61.1.1.10x2956Standard query (0)glassanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:51.967885017 CET192.168.2.61.1.1.10x2956Standard query (0)glassanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:52.968643904 CET192.168.2.61.1.1.10xbc04Standard query (0)answerbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:52.999638081 CET192.168.2.61.1.1.10xbc04Standard query (0)answerbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:53.859247923 CET192.168.2.61.1.1.10x654dStandard query (0)glassbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:54.687422991 CET192.168.2.61.1.1.10x3511Standard query (0)answerappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.577853918 CET192.168.2.61.1.1.10x7194Standard query (0)glassappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.586328030 CET192.168.2.61.1.1.10x4232Standard query (0)difficultmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.608727932 CET192.168.2.61.1.1.10x4232Standard query (0)difficultmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.617536068 CET192.168.2.61.1.1.10xd012Standard query (0)heardmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.628247976 CET192.168.2.61.1.1.10x87dStandard query (0)difficultanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.638608932 CET192.168.2.61.1.1.10xc059Standard query (0)heardanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.648983955 CET192.168.2.61.1.1.10xe004Standard query (0)difficultbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.659866095 CET192.168.2.61.1.1.10x1b2bStandard query (0)heardbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.670752048 CET192.168.2.61.1.1.10xb398Standard query (0)difficultappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.681590080 CET192.168.2.61.1.1.10x4a8bStandard query (0)heardappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.702215910 CET192.168.2.61.1.1.10x4a8bStandard query (0)heardappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.714850903 CET192.168.2.61.1.1.10xd4c9Standard query (0)pleasantmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.725353003 CET192.168.2.61.1.1.10x7f95Standard query (0)necessarymanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.736797094 CET192.168.2.61.1.1.10xf553Standard query (0)pleasantanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.764694929 CET192.168.2.61.1.1.10xf553Standard query (0)pleasantanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.768954039 CET192.168.2.61.1.1.10xa6ebStandard query (0)necessaryanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.777558088 CET192.168.2.61.1.1.10x737fStandard query (0)pleasantbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.788743973 CET192.168.2.61.1.1.10x7427Standard query (0)necessarybusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.811563015 CET192.168.2.61.1.1.10x7427Standard query (0)necessarybusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.821124077 CET192.168.2.61.1.1.10x5f8dStandard query (0)pleasantappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.833384037 CET192.168.2.61.1.1.10x8517Standard query (0)necessaryappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.843619108 CET192.168.2.61.1.1.10x5ad8Standard query (0)ordermanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.851938009 CET192.168.2.61.1.1.10x395cStandard query (0)requiremanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.874041080 CET192.168.2.61.1.1.10x395cStandard query (0)requiremanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.884608984 CET192.168.2.61.1.1.10x1fa3Standard query (0)orderanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.894685030 CET192.168.2.61.1.1.10xfcddStandard query (0)requireanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.920989990 CET192.168.2.61.1.1.10xfcddStandard query (0)requireanother.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.927609921 CET192.168.2.61.1.1.10x4269Standard query (0)orderbusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.938896894 CET192.168.2.61.1.1.10xe9e3Standard query (0)requirebusiness.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.949161053 CET192.168.2.61.1.1.10x892cStandard query (0)orderappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.967808962 CET192.168.2.61.1.1.10x892cStandard query (0)orderappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.982069016 CET192.168.2.61.1.1.10x1e2dStandard query (0)requireappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.999038935 CET192.168.2.61.1.1.10x1e2dStandard query (0)requireappear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.014215946 CET192.168.2.61.1.1.10x32d0Standard query (0)leadermanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.024429083 CET192.168.2.61.1.1.10x88d9Standard query (0)heavenmanner.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.034334898 CET192.168.2.61.1.1.10x69cdStandard query (0)leaderanother.netA (IP address)IN (0x0001)false

                                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                            Nov 7, 2024 15:41:53.555422068 CET1.1.1.1192.168.2.60xa49aName error (3)heavenstream.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:53.588172913 CET1.1.1.1192.168.2.60xcef9Name error (3)leadernothing.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.243195057 CET1.1.1.1192.168.2.60xece6Name error (3)leaderbottle.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.258874893 CET1.1.1.1192.168.2.60x2eefName error (3)heavenbottle.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.276308060 CET1.1.1.1192.168.2.60x4c1dName error (3)leaderdivide.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.314434052 CET1.1.1.1192.168.2.60x50dName error (3)heavendivide.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.330238104 CET1.1.1.1192.168.2.60x55f5Name error (3)heavystream.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.347049952 CET1.1.1.1192.168.2.60xe935Name error (3)gentlestream.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.358637094 CET1.1.1.1192.168.2.60x9a31Name error (3)heavynothing.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.378741026 CET1.1.1.1192.168.2.60x44bdName error (3)gentlenothing.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.389899969 CET1.1.1.1192.168.2.60x3f66Name error (3)heavybottle.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.416484118 CET1.1.1.1192.168.2.60xe2f7Name error (3)gentlebottle.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.439172029 CET1.1.1.1192.168.2.60xee75Name error (3)heavydivide.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.475759029 CET1.1.1.1192.168.2.60x6a61Name error (3)gentledivide.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.829195023 CET1.1.1.1192.168.2.60x92a4No error (0)variousstream.net7450.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.829195023 CET1.1.1.1192.168.2.60x92a4No error (0)7450.bodis.com199.59.243.227A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.670730114 CET1.1.1.1192.168.2.60x6274Name error (3)returnstream.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.681399107 CET1.1.1.1192.168.2.60x629aName error (3)variousnothing.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.692348003 CET1.1.1.1192.168.2.60xc785Name error (3)returnnothing.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.724601984 CET1.1.1.1192.168.2.60x78e8Name error (3)variousbottle.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.911421061 CET1.1.1.1192.168.2.60x3618No error (0)returnbottle.net18.143.155.63A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.828553915 CET1.1.1.1192.168.2.60x5b2aName error (3)variousdivide.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.840790033 CET1.1.1.1192.168.2.60xe04dName error (3)returndivide.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.850421906 CET1.1.1.1192.168.2.60xb284Name error (3)degreemanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.866318941 CET1.1.1.1192.168.2.60x4012Name error (3)forwardmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.876775980 CET1.1.1.1192.168.2.60x5c16Name error (3)degreeanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.908783913 CET1.1.1.1192.168.2.60x783Name error (3)forwardanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.918889046 CET1.1.1.1192.168.2.60xb912Name error (3)degreebusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.928412914 CET1.1.1.1192.168.2.60xce6dName error (3)forwardbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.959700108 CET1.1.1.1192.168.2.60x923Name error (3)degreeappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.970865965 CET1.1.1.1192.168.2.60x9cdbName error (3)forwardappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.001770973 CET1.1.1.1192.168.2.60x2ce2Name error (3)answermanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.012409925 CET1.1.1.1192.168.2.60xad02Name error (3)glassmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.044363022 CET1.1.1.1192.168.2.60x5d1fName error (3)answeranother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.054833889 CET1.1.1.1192.168.2.60x7623Name error (3)glassanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.065419912 CET1.1.1.1192.168.2.60x1698Name error (3)answerbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.075436115 CET1.1.1.1192.168.2.60x2a2aName error (3)glassbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.107876062 CET1.1.1.1192.168.2.60x3bb9Name error (3)answerappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.264873981 CET1.1.1.1192.168.2.60x492aName error (3)glassappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.296588898 CET1.1.1.1192.168.2.60x1199Name error (3)difficultmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.304090977 CET1.1.1.1192.168.2.60x17c5Name error (3)heardmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.313775063 CET1.1.1.1192.168.2.60x5b3eName error (3)difficultanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.346585035 CET1.1.1.1192.168.2.60x4486Name error (3)heardanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.386097908 CET1.1.1.1192.168.2.60xdb80Name error (3)difficultbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.396900892 CET1.1.1.1192.168.2.60xe013Name error (3)heardbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.428978920 CET1.1.1.1192.168.2.60x59f8Name error (3)difficultappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.442555904 CET1.1.1.1192.168.2.60x14a4Name error (3)heardappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.453717947 CET1.1.1.1192.168.2.60x4e75Name error (3)pleasantmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.464113951 CET1.1.1.1192.168.2.60x11b6Name error (3)necessarymanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.474076986 CET1.1.1.1192.168.2.60x8834Name error (3)pleasantanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.484527111 CET1.1.1.1192.168.2.60x5f9Name error (3)necessaryanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.516268969 CET1.1.1.1192.168.2.60x39a5Name error (3)pleasantbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.527909994 CET1.1.1.1192.168.2.60xc756Name error (3)necessarybusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.696866035 CET1.1.1.1192.168.2.60x9c6eName error (3)pleasantappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.709086895 CET1.1.1.1192.168.2.60xc432Name error (3)necessaryappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.723721027 CET1.1.1.1192.168.2.60x5057Name error (3)ordermanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.735677958 CET1.1.1.1192.168.2.60x97caName error (3)requiremanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.747745991 CET1.1.1.1192.168.2.60x5dabName error (3)orderanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.765239000 CET1.1.1.1192.168.2.60x3f4aName error (3)requireanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.798336983 CET1.1.1.1192.168.2.60x85a8Name error (3)orderbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:58.832793951 CET1.1.1.1192.168.2.60xa003Name error (3)requirebusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.188870907 CET1.1.1.1192.168.2.60xd19cName error (3)orderappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.220474958 CET1.1.1.1192.168.2.60xadd1Name error (3)requireappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.384079933 CET1.1.1.1192.168.2.60xff8bName error (3)leadermanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.407087088 CET1.1.1.1192.168.2.60x7b96Name error (3)heavenmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.418261051 CET1.1.1.1192.168.2.60x8e51Name error (3)leaderanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.458400965 CET1.1.1.1192.168.2.60x326eName error (3)heavenanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.489969015 CET1.1.1.1192.168.2.60x521bName error (3)leaderbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.524666071 CET1.1.1.1192.168.2.60x74ffName error (3)heavenbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.536775112 CET1.1.1.1192.168.2.60x5d00Name error (3)leaderappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.570112944 CET1.1.1.1192.168.2.60x9e08Name error (3)heavenappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.603425980 CET1.1.1.1192.168.2.60x9455Name error (3)heavymanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.615341902 CET1.1.1.1192.168.2.60x1bfName error (3)gentlemanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.647249937 CET1.1.1.1192.168.2.60x72a5Name error (3)heavyanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.840943098 CET1.1.1.1192.168.2.60x8369No error (0)gentleanother.net54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.867495060 CET1.1.1.1192.168.2.60x43b6Name error (3)heavybusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.900161982 CET1.1.1.1192.168.2.60x4d36Name error (3)gentlebusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.912790060 CET1.1.1.1192.168.2.60xb1b2Name error (3)heavyappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.924434900 CET1.1.1.1192.168.2.60x89eName error (3)gentleappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.940551043 CET1.1.1.1192.168.2.60x748bName error (3)variousmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.950934887 CET1.1.1.1192.168.2.60x29daName error (3)returnmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.961421967 CET1.1.1.1192.168.2.60xc77Name error (3)variousanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.972805977 CET1.1.1.1192.168.2.60x2d64Name error (3)returnanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.989516020 CET1.1.1.1192.168.2.60xb08Name error (3)variousbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.021161079 CET1.1.1.1192.168.2.60xeb5eName error (3)returnbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.031016111 CET1.1.1.1192.168.2.60x9f2aName error (3)variousappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.044020891 CET1.1.1.1192.168.2.60xfe86Name error (3)returnappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.054066896 CET1.1.1.1192.168.2.60xc50eName error (3)degreeinstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.085321903 CET1.1.1.1192.168.2.60x1bebName error (3)forwardinstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.096111059 CET1.1.1.1192.168.2.60x365fName error (3)degreeexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.108268023 CET1.1.1.1192.168.2.60x5153Name error (3)forwardexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.151448011 CET1.1.1.1192.168.2.60x1173Name error (3)degreebright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.312693119 CET1.1.1.1192.168.2.60xe4dName error (3)forwardbright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.323566914 CET1.1.1.1192.168.2.60x676fName error (3)degreeinside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.334382057 CET1.1.1.1192.168.2.60x7948Name error (3)forwardinside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.350759983 CET1.1.1.1192.168.2.60xfc94Name error (3)answerinstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.362658024 CET1.1.1.1192.168.2.60xe7c6Name error (3)glassinstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.394521952 CET1.1.1.1192.168.2.60xf059Name error (3)answerexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.405895948 CET1.1.1.1192.168.2.60xf159Name error (3)glassexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.416650057 CET1.1.1.1192.168.2.60xd7b6Name error (3)answerbright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.805315018 CET1.1.1.1192.168.2.60xd32bNo error (0)glassbright.net7450.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.805315018 CET1.1.1.1192.168.2.60xd32bNo error (0)7450.bodis.com199.59.243.227A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.507220030 CET1.1.1.1192.168.2.60xb414Name error (3)answerinside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.541723013 CET1.1.1.1192.168.2.60x5ea2Name error (3)glassinside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.573909998 CET1.1.1.1192.168.2.60x6c1aName error (3)difficultinstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.584532976 CET1.1.1.1192.168.2.60x39cName error (3)heardinstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.595499992 CET1.1.1.1192.168.2.60x3c20Name error (3)difficultexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.609965086 CET1.1.1.1192.168.2.60x82f5Name error (3)heardexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.851505995 CET1.1.1.1192.168.2.60xbc59Name error (3)difficultbright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.861774921 CET1.1.1.1192.168.2.60x19b5Name error (3)heardbright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.876271963 CET1.1.1.1192.168.2.60x968Name error (3)difficultinside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.912797928 CET1.1.1.1192.168.2.60xdf5aName error (3)heardinside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:03.117065907 CET1.1.1.1192.168.2.60x5c09No error (0)pleasantinstead.net18.143.155.63A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.238532066 CET1.1.1.1192.168.2.60x4447Name error (3)necessaryinstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.270049095 CET1.1.1.1192.168.2.60x9226Name error (3)pleasantexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.330167055 CET1.1.1.1192.168.2.60x5d6dName error (3)necessaryexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.343450069 CET1.1.1.1192.168.2.60x2630Name error (3)pleasantbright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.376176119 CET1.1.1.1192.168.2.60x2ec1Name error (3)necessarybright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.387470007 CET1.1.1.1192.168.2.60xf397Name error (3)pleasantinside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.398643017 CET1.1.1.1192.168.2.60x7d32Name error (3)necessaryinside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.430944920 CET1.1.1.1192.168.2.60x5a85Name error (3)orderinstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.441553116 CET1.1.1.1192.168.2.60x7536Name error (3)requireinstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.452076912 CET1.1.1.1192.168.2.60x4180Name error (3)orderexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.463351965 CET1.1.1.1192.168.2.60x4e14Name error (3)requireexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.474698067 CET1.1.1.1192.168.2.60xb295Name error (3)orderbright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.486880064 CET1.1.1.1192.168.2.60x92d5Name error (3)requirebright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.498019934 CET1.1.1.1192.168.2.60x52d1Name error (3)orderinside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.507431030 CET1.1.1.1192.168.2.60x1f6fName error (3)requireinside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.520091057 CET1.1.1.1192.168.2.60x9f60Name error (3)leaderinstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.530713081 CET1.1.1.1192.168.2.60x842cName error (3)heaveninstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.540957928 CET1.1.1.1192.168.2.60x62b6Name error (3)leaderexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.572529078 CET1.1.1.1192.168.2.60xe965Name error (3)heavenexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.583734035 CET1.1.1.1192.168.2.60x5c7bName error (3)leaderbright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.594752073 CET1.1.1.1192.168.2.60xf365Name error (3)heavenbright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.605401039 CET1.1.1.1192.168.2.60xfa57Name error (3)leaderinside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.618357897 CET1.1.1.1192.168.2.60xf032Name error (3)heaveninside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.666467905 CET1.1.1.1192.168.2.60xa621Name error (3)heavyinstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.674981117 CET1.1.1.1192.168.2.60xcb31Name error (3)gentleinstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.706729889 CET1.1.1.1192.168.2.60x8e69Name error (3)heavyexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.717257977 CET1.1.1.1192.168.2.60x878aName error (3)gentleexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.729911089 CET1.1.1.1192.168.2.60x109eName error (3)heavybright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.761569977 CET1.1.1.1192.168.2.60x3a7aName error (3)gentlebright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.772382975 CET1.1.1.1192.168.2.60xd915Name error (3)heavyinside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.784383059 CET1.1.1.1192.168.2.60xb03fName error (3)gentleinside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.794369936 CET1.1.1.1192.168.2.60xf7f9Name error (3)variousinstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.826064110 CET1.1.1.1192.168.2.60x8e75Name error (3)returninstead.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.836395025 CET1.1.1.1192.168.2.60x9ff8Name error (3)variousexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.846688032 CET1.1.1.1192.168.2.60x6758Name error (3)returnexplain.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.920953035 CET1.1.1.1192.168.2.60x210dName error (3)variousbright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:05.991071939 CET1.1.1.1192.168.2.60x566aName error (3)returnbright.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.007891893 CET1.1.1.1192.168.2.60x9596Name error (3)variousinside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.024072886 CET1.1.1.1192.168.2.60x7c62Name error (3)returninside.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.037777901 CET1.1.1.1192.168.2.60xf89Name error (3)degreeready.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.076098919 CET1.1.1.1192.168.2.60x5ec6Name error (3)forwardready.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.133517981 CET1.1.1.1192.168.2.60x5735Name error (3)degreebrown.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.165941000 CET1.1.1.1192.168.2.60x2db8Name error (3)forwardbrown.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.195358992 CET1.1.1.1192.168.2.60x7149Name error (3)degreepeople.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.206001997 CET1.1.1.1192.168.2.60xd749Name error (3)forwardpeople.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.298192978 CET1.1.1.1192.168.2.60x919eNo error (0)degreedaughter.net85.214.228.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.350570917 CET1.1.1.1192.168.2.60xde9cName error (3)forwarddaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.362273932 CET1.1.1.1192.168.2.60xb71fName error (3)answerready.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.373131990 CET1.1.1.1192.168.2.60x88c4Name error (3)glassready.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.381449938 CET1.1.1.1192.168.2.60xc457Name error (3)answerbrown.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.393147945 CET1.1.1.1192.168.2.60x66ddName error (3)glassbrown.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.553627968 CET1.1.1.1192.168.2.60x5e4fName error (3)answerpeople.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.565201998 CET1.1.1.1192.168.2.60x7f33Name error (3)glasspeople.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.597084045 CET1.1.1.1192.168.2.60x1f6fName error (3)answerdaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.609004021 CET1.1.1.1192.168.2.60x14f4Name error (3)glassdaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.620984077 CET1.1.1.1192.168.2.60xcd4Name error (3)difficultready.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.631449938 CET1.1.1.1192.168.2.60x92b8Name error (3)heardready.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:14.125332117 CET1.1.1.1192.168.2.60x77fcName error (3)heavenstream.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:15.150748968 CET1.1.1.1192.168.2.60xd6fdName error (3)leadernothing.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:16.252557993 CET1.1.1.1192.168.2.60x7b8fName error (3)heavennothing.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:17.276210070 CET1.1.1.1192.168.2.60xdd23Name error (3)leaderbottle.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:18.447458982 CET1.1.1.1192.168.2.60xfdeName error (3)heavenbottle.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:18.447485924 CET1.1.1.1192.168.2.60xfdeName error (3)heavenbottle.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:19.505630970 CET1.1.1.1192.168.2.60xd6f6Name error (3)leaderdivide.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:19.506145954 CET1.1.1.1192.168.2.60xd6f6Name error (3)leaderdivide.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:20.526391029 CET1.1.1.1192.168.2.60xccaeName error (3)heavendivide.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:21.629300117 CET1.1.1.1192.168.2.60x9cf9Name error (3)heavystream.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:22.651343107 CET1.1.1.1192.168.2.60x44cfName error (3)gentlestream.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:23.667277098 CET1.1.1.1192.168.2.60x582Name error (3)heavynothing.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:24.874732971 CET1.1.1.1192.168.2.60x9426Name error (3)gentlenothing.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:24.874749899 CET1.1.1.1192.168.2.60x9426Name error (3)gentlenothing.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:25.916416883 CET1.1.1.1192.168.2.60xa933Name error (3)heavybottle.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:26.929193974 CET1.1.1.1192.168.2.60xca77Name error (3)gentlebottle.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:27.969069958 CET1.1.1.1192.168.2.60x2480Name error (3)heavydivide.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:27.975379944 CET1.1.1.1192.168.2.60x2480Name error (3)heavydivide.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:28.995719910 CET1.1.1.1192.168.2.60xf7e2Name error (3)gentledivide.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:31.744566917 CET1.1.1.1192.168.2.60x3751Name error (3)returnstream.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:32.760966063 CET1.1.1.1192.168.2.60xe96dName error (3)variousnothing.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:33.909955978 CET1.1.1.1192.168.2.60x6ea7Name error (3)returnnothing.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:33.909981012 CET1.1.1.1192.168.2.60x6ea7Name error (3)returnnothing.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:34.953933001 CET1.1.1.1192.168.2.60x122Name error (3)variousbottle.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:34.959440947 CET1.1.1.1192.168.2.60x122Name error (3)variousbottle.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:38.581660986 CET1.1.1.1192.168.2.60x7c35Name error (3)variousdivide.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:39.603759050 CET1.1.1.1192.168.2.60xe0f2Name error (3)returndivide.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:40.619654894 CET1.1.1.1192.168.2.60x12eName error (3)degreemanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:41.632752895 CET1.1.1.1192.168.2.60x8d14Name error (3)forwardmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:42.674387932 CET1.1.1.1192.168.2.60x847bName error (3)degreeanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:42.679236889 CET1.1.1.1192.168.2.60x847bName error (3)degreeanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:43.720408916 CET1.1.1.1192.168.2.60x2f5aName error (3)forwardanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:43.725275993 CET1.1.1.1192.168.2.60x2f5aName error (3)forwardanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:44.765461922 CET1.1.1.1192.168.2.60xccceName error (3)degreebusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:44.771636963 CET1.1.1.1192.168.2.60xccceName error (3)degreebusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:45.812875986 CET1.1.1.1192.168.2.60xfec3Name error (3)forwardbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:45.819344044 CET1.1.1.1192.168.2.60xfec3Name error (3)forwardbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:46.838902950 CET1.1.1.1192.168.2.60xd05fName error (3)degreeappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:47.923378944 CET1.1.1.1192.168.2.60x7e49Name error (3)forwardappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:49.074929953 CET1.1.1.1192.168.2.60xbdabName error (3)answermanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:50.078346968 CET1.1.1.1192.168.2.60xec06Name error (3)glassmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:50.085731030 CET1.1.1.1192.168.2.60xec06Name error (3)glassmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:51.025511026 CET1.1.1.1192.168.2.60xbdfeName error (3)answeranother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:52.094109058 CET1.1.1.1192.168.2.60x2956Name error (3)glassanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:52.094227076 CET1.1.1.1192.168.2.60x2956Name error (3)glassanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:52.999736071 CET1.1.1.1192.168.2.60xbc04Name error (3)answerbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:53.006853104 CET1.1.1.1192.168.2.60xbc04Name error (3)answerbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:53.869788885 CET1.1.1.1192.168.2.60x654dName error (3)glassbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:54.698144913 CET1.1.1.1192.168.2.60x3511Name error (3)answerappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.585814953 CET1.1.1.1192.168.2.60x7194Name error (3)glassappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.616806030 CET1.1.1.1192.168.2.60x4232Name error (3)difficultmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.616846085 CET1.1.1.1192.168.2.60x4232Name error (3)difficultmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.627713919 CET1.1.1.1192.168.2.60xd012Name error (3)heardmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.638164997 CET1.1.1.1192.168.2.60x87dName error (3)difficultanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.648478985 CET1.1.1.1192.168.2.60xc059Name error (3)heardanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.659259081 CET1.1.1.1192.168.2.60xe004Name error (3)difficultbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.670146942 CET1.1.1.1192.168.2.60x1b2bName error (3)heardbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.681123018 CET1.1.1.1192.168.2.60xb398Name error (3)difficultappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.713984966 CET1.1.1.1192.168.2.60x4a8bName error (3)heardappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.714024067 CET1.1.1.1192.168.2.60x4a8bName error (3)heardappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.724735022 CET1.1.1.1192.168.2.60xd4c9Name error (3)pleasantmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.736336946 CET1.1.1.1192.168.2.60x7f95Name error (3)necessarymanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.768152952 CET1.1.1.1192.168.2.60xf553Name error (3)pleasantanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.771770954 CET1.1.1.1192.168.2.60xf553Name error (3)pleasantanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.777060986 CET1.1.1.1192.168.2.60xa6ebName error (3)necessaryanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.788003922 CET1.1.1.1192.168.2.60x737fName error (3)pleasantbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.820233107 CET1.1.1.1192.168.2.60x7427Name error (3)necessarybusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.820415020 CET1.1.1.1192.168.2.60x7427Name error (3)necessarybusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.832729101 CET1.1.1.1192.168.2.60x5f8dName error (3)pleasantappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.843116045 CET1.1.1.1192.168.2.60x8517Name error (3)necessaryappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.851432085 CET1.1.1.1192.168.2.60x5ad8Name error (3)ordermanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.884104013 CET1.1.1.1192.168.2.60x395cName error (3)requiremanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.884135008 CET1.1.1.1192.168.2.60x395cName error (3)requiremanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.894056082 CET1.1.1.1192.168.2.60x1fa3Name error (3)orderanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.926999092 CET1.1.1.1192.168.2.60xfcddName error (3)requireanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.928174019 CET1.1.1.1192.168.2.60xfcddName error (3)requireanother.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.938483953 CET1.1.1.1192.168.2.60x4269Name error (3)orderbusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.948695898 CET1.1.1.1192.168.2.60xe9e3Name error (3)requirebusiness.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.981246948 CET1.1.1.1192.168.2.60x892cName error (3)orderappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:55.981264114 CET1.1.1.1192.168.2.60x892cName error (3)orderappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.013346910 CET1.1.1.1192.168.2.60x1e2dName error (3)requireappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.013364077 CET1.1.1.1192.168.2.60x1e2dName error (3)requireappear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.023665905 CET1.1.1.1192.168.2.60x32d0Name error (3)leadermanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.033694029 CET1.1.1.1192.168.2.60x88d9Name error (3)heavenmanner.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Nov 7, 2024 15:43:56.044936895 CET1.1.1.1192.168.2.60x69cdName error (3)leaderanother.netnonenoneA (IP address)IN (0x0001)false

                                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                                            • variousstream.net
                                                                                                                                                                                                            • returnbottle.net
                                                                                                                                                                                                            • gentleanother.net
                                                                                                                                                                                                            • glassbright.net
                                                                                                                                                                                                            • pleasantinstead.net
                                                                                                                                                                                                            • degreedaughter.net

                                                                                                                                                                                                            HTTP Packets

                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            0192.168.2.661162199.59.243.227806216C:\daxjjwrfm\qbpabupgx.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            Nov 7, 2024 15:41:54.850847960 CET84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Host: variousstream.net
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.658045053 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                                            date: Thu, 07 Nov 2024 14:41:55 GMT
                                                                                                                                                                                                            content-type: text/html; charset=utf-8
                                                                                                                                                                                                            content-length: 1066
                                                                                                                                                                                                            x-request-id: 13cfa952-6027-4e59-bcfe-bc6ea3f00c47
                                                                                                                                                                                                            cache-control: no-store, max-age=0
                                                                                                                                                                                                            accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                                                                            critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                                                                            vary: sec-ch-prefers-color-scheme
                                                                                                                                                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==
                                                                                                                                                                                                            set-cookie: parking_session=13cfa952-6027-4e59-bcfe-bc6ea3f00c47; expires=Thu, 07 Nov 2024 14:56:55 GMT; path=/
                                                                                                                                                                                                            connection: close
                                                                                                                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                                                                            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.658428907 CET519INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                                                                            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTNjZmE5NTItNjAyNy00ZTU5LWJjZmUtYmM2ZWEzZjAwYzQ3IiwicGFnZV90aW1lIjoxNzMwOTkwNT


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            1192.168.2.66116418.143.155.63806216C:\daxjjwrfm\qbpabupgx.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            Nov 7, 2024 15:41:55.917365074 CET83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Host: returnbottle.net
                                                                                                                                                                                                            Nov 7, 2024 15:41:57.377079010 CET387INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: nginx
                                                                                                                                                                                                            Date: Thu, 07 Nov 2024 14:41:57 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: btst=cd2635dbd9d522f28e306e5768c6e0c3|173.254.250.79|1730990517|1730990517|0|1|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                            Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            2192.168.2.66118554.244.188.177806216C:\daxjjwrfm\qbpabupgx.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            Nov 7, 2024 15:41:59.847522974 CET84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Host: gentleanother.net
                                                                                                                                                                                                            Nov 7, 2024 15:42:00.718555927 CET388INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: nginx
                                                                                                                                                                                                            Date: Thu, 07 Nov 2024 14:42:00 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: btst=509ee42c23247409006dd0ed2b8d1eeb|173.254.250.79|1730990520|1730990520|0|1|0; path=/; domain=.gentleanother.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                            Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            3192.168.2.661196199.59.243.227806216C:\daxjjwrfm\qbpabupgx.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            Nov 7, 2024 15:42:01.814074039 CET82OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Host: glassbright.net
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.470746994 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                                            date: Thu, 07 Nov 2024 14:42:01 GMT
                                                                                                                                                                                                            content-type: text/html; charset=utf-8
                                                                                                                                                                                                            content-length: 1062
                                                                                                                                                                                                            x-request-id: b6dd4001-c41a-44db-a809-2b71c3a0bde1
                                                                                                                                                                                                            cache-control: no-store, max-age=0
                                                                                                                                                                                                            accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                                                                            critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                                                                            vary: sec-ch-prefers-color-scheme
                                                                                                                                                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg==
                                                                                                                                                                                                            set-cookie: parking_session=b6dd4001-c41a-44db-a809-2b71c3a0bde1; expires=Thu, 07 Nov 2024 14:57:02 GMT; path=/
                                                                                                                                                                                                            connection: close
                                                                                                                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 73 31 4f 4c 7a 78 6e 55 4f 6e 45 48 37 31 36 6b 42 70 6b 2f 68 77 6b 51 57 33 67 38 4a 33 70 73 6a 42 43 51 35 37 47 55 41 5a 74 5a 53 32 46 34 65 75 65 4b 6c 34 69 45 6f 71 6d 42 39 71 74 37 68 6b 53 39 39 4e 49 43 2f 79 4b 66 4e 77 69 33 2b 4d 56 50 79 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                                                                            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                                                                            Nov 7, 2024 15:42:02.470777035 CET515INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                                                                            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjZkZDQwMDEtYzQxYS00NGRiLWE4MDktMmI3MWMzYTBiZGUxIiwicGFnZV90aW1lIjoxNzMwOTkwNT


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            4192.168.2.66120118.143.155.63806216C:\daxjjwrfm\qbpabupgx.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            Nov 7, 2024 15:42:03.299684048 CET86OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Host: pleasantinstead.net
                                                                                                                                                                                                            Nov 7, 2024 15:42:04.784287930 CET390INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: nginx
                                                                                                                                                                                                            Date: Thu, 07 Nov 2024 14:42:04 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: btst=77c86db442ef3f4a34723b9933944f7a|173.254.250.79|1730990524|1730990524|0|1|0; path=/; domain=.pleasantinstead.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                            Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            5192.168.2.66121385.214.228.140806216C:\daxjjwrfm\qbpabupgx.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            Nov 7, 2024 15:42:06.453412056 CET85OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Host: degreedaughter.net
                                                                                                                                                                                                            Nov 7, 2024 15:42:07.339715004 CET176INHTTP/1.0 404 Not Found
                                                                                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                            Date: Thu, 07 Nov 2024 14:42:07 GMT
                                                                                                                                                                                                            Content-Length: 19
                                                                                                                                                                                                            Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                                                                                                                                                            Data Ascii: 404 page not found


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            6192.168.2.654124199.59.243.227803708C:\daxjjwrfm\qbpabupgx.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.006602049 CET84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Host: variousstream.net
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.690996885 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                                            date: Thu, 07 Nov 2024 14:43:30 GMT
                                                                                                                                                                                                            content-type: text/html; charset=utf-8
                                                                                                                                                                                                            content-length: 1066
                                                                                                                                                                                                            x-request-id: 10bb1350-d489-4482-86a2-e3d1bf3db72c
                                                                                                                                                                                                            cache-control: no-store, max-age=0
                                                                                                                                                                                                            accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                                                                                            critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                                                                                            vary: sec-ch-prefers-color-scheme
                                                                                                                                                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==
                                                                                                                                                                                                            set-cookie: parking_session=10bb1350-d489-4482-86a2-e3d1bf3db72c; expires=Thu, 07 Nov 2024 14:58:30 GMT; path=/
                                                                                                                                                                                                            connection: close
                                                                                                                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                                                                                            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                                                                                            Nov 7, 2024 15:43:30.691035032 CET519INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                                                                                            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTBiYjEzNTAtZDQ4OS00NDgyLTg2YTItZTNkMWJmM2RiNzJjIiwicGFnZV90aW1lIjoxNzMwOTkwNj


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            7192.168.2.65412518.143.155.63803708C:\daxjjwrfm\qbpabupgx.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            Nov 7, 2024 15:43:36.113943100 CET83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Host: returnbottle.net
                                                                                                                                                                                                            Nov 7, 2024 15:43:37.556240082 CET387INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: nginx
                                                                                                                                                                                                            Date: Thu, 07 Nov 2024 14:43:37 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Set-Cookie: btst=a89907aea6476eb1005333d55caab224|173.254.250.79|1730990617|1730990617|0|1|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                            Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                            Behavior

                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                            Start time:09:41:48
                                                                                                                                                                                                            Start date:07/11/2024
                                                                                                                                                                                                            Path:C:\Users\user\Desktop\66HKNPT1fl.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\66HKNPT1fl.exe"
                                                                                                                                                                                                            Imagebase:0x360000
                                                                                                                                                                                                            File size:248'320 bytes
                                                                                                                                                                                                            MD5 hash:F0D9A1E7385ED0EA2ECE3D30915163D5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:2
                                                                                                                                                                                                            Start time:09:41:49
                                                                                                                                                                                                            Start date:07/11/2024
                                                                                                                                                                                                            Path:C:\daxjjwrfm\ew4bjmdlid9hjn8.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\daxjjwrfm\ew4bjmdlid9hjn8.exe"
                                                                                                                                                                                                            Imagebase:0x50000
                                                                                                                                                                                                            File size:248'320 bytes
                                                                                                                                                                                                            MD5 hash:F0D9A1E7385ED0EA2ECE3D30915163D5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                            • Detection: 89%, ReversingLabs
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:3
                                                                                                                                                                                                            Start time:09:41:49
                                                                                                                                                                                                            Start date:07/11/2024
                                                                                                                                                                                                            Path:C:\daxjjwrfm\qbpabupgx.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\daxjjwrfm\qbpabupgx.exe
                                                                                                                                                                                                            Imagebase:0xc20000
                                                                                                                                                                                                            File size:248'320 bytes
                                                                                                                                                                                                            MD5 hash:F0D9A1E7385ED0EA2ECE3D30915163D5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                            • Detection: 89%, ReversingLabs
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:4
                                                                                                                                                                                                            Start time:09:41:50
                                                                                                                                                                                                            Start date:07/11/2024
                                                                                                                                                                                                            Path:C:\daxjjwrfm\tkjnbticppc.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"
                                                                                                                                                                                                            Imagebase:0xa0000
                                                                                                                                                                                                            File size:248'320 bytes
                                                                                                                                                                                                            MD5 hash:F0D9A1E7385ED0EA2ECE3D30915163D5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                            • Detection: 89%, ReversingLabs
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:5
                                                                                                                                                                                                            Start time:09:41:51
                                                                                                                                                                                                            Start date:07/11/2024
                                                                                                                                                                                                            Path:C:\daxjjwrfm\qbpabupgx.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\daxjjwrfm\qbpabupgx.exe"
                                                                                                                                                                                                            Imagebase:0xc20000
                                                                                                                                                                                                            File size:248'320 bytes
                                                                                                                                                                                                            MD5 hash:F0D9A1E7385ED0EA2ECE3D30915163D5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:8
                                                                                                                                                                                                            Start time:09:43:09
                                                                                                                                                                                                            Start date:07/11/2024
                                                                                                                                                                                                            Path:C:\daxjjwrfm\qbpabupgx.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"c:\daxjjwrfm\qbpabupgx.exe"
                                                                                                                                                                                                            Imagebase:0xc20000
                                                                                                                                                                                                            File size:248'320 bytes
                                                                                                                                                                                                            MD5 hash:F0D9A1E7385ED0EA2ECE3D30915163D5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:9
                                                                                                                                                                                                            Start time:09:43:10
                                                                                                                                                                                                            Start date:07/11/2024
                                                                                                                                                                                                            Path:C:\daxjjwrfm\tkjnbticppc.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"
                                                                                                                                                                                                            Imagebase:0x100000
                                                                                                                                                                                                            File size:248'320 bytes
                                                                                                                                                                                                            MD5 hash:F0D9A1E7385ED0EA2ECE3D30915163D5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                            Reset < >

                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                              Execution Coverage:8.4%
                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                              Signature Coverage:51.6%
                                                                                                                                                                                                              Total number of Nodes:1932
                                                                                                                                                                                                              Total number of Limit Nodes:18
                                                                                                                                                                                                              execution_graph 10664 38e139 10665 38e140 10664->10665 10666 38e294 10665->10666 10668 365730 2 API calls 10665->10668 10667 38e637 HeapFree FreeLibrary 10666->10667 10669 38e2e0 10668->10669 10670 383840 2 API calls 10669->10670 10670->10666 11231 3803b9 11232 3803c0 11231->11232 11326 3640b0 lstrlen 11232->11326 11234 3804d8 11327 3640b0 lstrlen 11234->11327 11236 3804e6 11237 365730 2 API calls 11236->11237 11299 380b61 11236->11299 11238 3805a8 11237->11238 11239 36b980 9 API calls 11238->11239 11240 3805c0 11239->11240 11241 383840 2 API calls 11240->11241 11242 3805d2 11241->11242 11243 380779 11242->11243 11245 365730 2 API calls 11242->11245 11244 384a90 9 API calls 11243->11244 11246 3807b9 11244->11246 11247 380637 11245->11247 11248 385810 8 API calls 11246->11248 11250 3675a0 9 API calls 11247->11250 11249 3807c5 11248->11249 11251 365730 2 API calls 11249->11251 11253 380669 11250->11253 11252 3807e6 11251->11252 11254 384a90 9 API calls 11252->11254 11257 383840 2 API calls 11253->11257 11255 380810 11254->11255 11256 385810 8 API calls 11255->11256 11258 38081c 11256->11258 11259 3806aa 11257->11259 11260 383840 2 API calls 11258->11260 11259->11243 11261 386b70 8 API calls 11259->11261 11262 38084e 11260->11262 11264 380712 11261->11264 11263 384a90 9 API calls 11262->11263 11265 38086d 11263->11265 11267 365730 2 API calls 11264->11267 11266 385810 8 API calls 11265->11266 11271 38087c 11266->11271 11268 38074f 11267->11268 11269 36b980 9 API calls 11268->11269 11270 380767 11269->11270 11272 383840 2 API calls 11270->11272 11276 365730 2 API calls 11271->11276 11310 380a19 11271->11310 11272->11243 11273 365730 2 API calls 11274 380a59 11273->11274 11275 384a90 9 API calls 11274->11275 11277 380a77 11275->11277 11278 3808e7 11276->11278 11279 385810 8 API calls 11277->11279 11280 384a90 9 API calls 11278->11280 11284 380a83 11279->11284 11281 380902 11280->11281 11282 385810 8 API calls 11281->11282 11283 380911 11282->11283 11286 365730 2 API calls 11283->11286 11285 383840 2 API calls 11284->11285 11287 380acb 11285->11287 11288 380932 11286->11288 11289 380b1c socket 11287->11289 11291 385810 8 API calls 11287->11291 11290 383840 2 API calls 11288->11290 11295 380bb0 11289->11295 11289->11299 11292 380993 11290->11292 11291->11289 11328 36bba0 wvsprintfA 11292->11328 11293 380c70 gethostbyname 11294 380c99 inet_ntoa inet_addr htons connect 11293->11294 11293->11299 11300 380d44 11294->11300 11304 380d6d 11294->11304 11295->11293 11296 380c45 setsockopt 11295->11296 11296->11293 11301 3809d1 11302 383840 2 API calls 11301->11302 11303 3809e3 11302->11303 11305 384a90 9 API calls 11303->11305 11307 380d93 send 11304->11307 11306 380a0a 11305->11306 11308 385810 8 API calls 11306->11308 11309 380daf 11307->11309 11308->11310 11311 380db3 11309->11311 11312 366660 8 API calls 11309->11312 11310->11273 11325 380deb 11312->11325 11313 380e5b recv 11314 381275 closesocket 11313->11314 11313->11325 11314->11299 11315 3812ae 11314->11315 11317 386b70 8 API calls 11315->11317 11316 362bb0 GetSystemTimeAsFileTime 11316->11325 11317->11299 11318 390850 8 API calls 11318->11325 11319 361890 8 API calls 11319->11325 11320 365730 GetProcessHeap RtlAllocateHeap 11320->11325 11321 381265 11321->11314 11322 383840 GetProcessHeap RtlFreeHeap 11322->11325 11323 3876d0 9 API calls 11323->11325 11324 3675a0 9 API calls 11324->11325 11325->11313 11325->11314 11325->11316 11325->11318 11325->11319 11325->11320 11325->11321 11325->11322 11325->11323 11325->11324 11326->11234 11327->11236 11328->11301 10313 362630 10316 3651d0 10313->10316 10317 365202 10316->10317 10320 362df0 10317->10320 10319 36265b 10321 37cb30 8 API calls 10320->10321 10322 362e22 10321->10322 10322->10319 10518 37beb0 10519 37bec8 10518->10519 10524 3640b0 lstrlen 10519->10524 10521 37bf13 10525 364090 10521->10525 10524->10521 10528 366670 10525->10528 10527 3640aa 10529 36668f 10528->10529 10530 3666f1 10529->10530 10531 3666fe 10529->10531 10532 3814f0 8 API calls 10530->10532 10534 3666fc 10531->10534 10535 36b9e0 10531->10535 10532->10534 10534->10527 10536 36b9ff 10535->10536 10537 37cb30 8 API calls 10536->10537 10538 36ba40 10537->10538 10538->10534 10675 36b531 10676 36b5ae RegisterServiceCtrlHandlerA 10675->10676 10680 36b696 10676->10680 10678 36b8ba 10679 36b702 SetServiceStatus CreateEventA SetServiceStatus 10681 36b7a2 10679->10681 10682 36b7b0 WaitForSingleObject 10679->10682 10680->10678 10680->10679 10681->10682 10682->10682 10683 36b7dd 10682->10683 10684 366590 WaitForSingleObject 10683->10684 10685 36b7f4 SetServiceStatus CloseHandle SetServiceStatus 10684->10685 10685->10678 11332 384db0 11333 384ddf 11332->11333 11334 38fad0 4 API calls 11333->11334 11335 384e33 11333->11335 11334->11335 10295 386d32 10296 386d4b 10295->10296 10303 362ef0 10296->10303 10300 386d5f 10301 386e43 ExitProcess 10300->10301 10302 386e26 10300->10302 10302->10301 10310 373d60 10303->10310 10305 362f36 10306 3620e0 GetStdHandle GetStdHandle 10305->10306 10307 362177 GetStdHandle 10306->10307 10308 36215b 10306->10308 10309 3621bc 10307->10309 10308->10307 10309->10300 10311 373d84 10310->10311 10312 373d9f GetProcessHeap HeapAlloc 10310->10312 10311->10312 10312->10305 11336 387da8 11344 387db0 11336->11344 11337 38835c 11338 366660 8 API calls 11337->11338 11339 3885a4 11338->11339 11340 365730 GetProcessHeap RtlAllocateHeap 11340->11344 11341 361890 8 API calls 11341->11344 11342 388354 11343 383840 GetProcessHeap RtlFreeHeap 11343->11344 11344->11337 11344->11340 11344->11341 11344->11342 11344->11343 11345 381950 5 API calls 11344->11345 11346 3882d0 CreateThread CloseHandle 11344->11346 11345->11344 11346->11344 10539 3628a0 10540 3628b0 10539->10540 10541 3628c2 10540->10541 10542 362a0c ReadFile 10540->10542 10543 362a31 10542->10543 10544 3620a0 10545 3620b7 10544->10545 10546 3651d0 8 API calls 10545->10546 10547 3620ce 10546->10547 11347 3777a1 11348 3777aa 11347->11348 11349 365730 2 API calls 11348->11349 11350 377b66 11349->11350 11351 383840 2 API calls 11350->11351 11352 377b95 11351->11352 10323 382820 10324 382873 10323->10324 10327 3667e0 10324->10327 10328 36681a 10327->10328 10329 36690b 10327->10329 10331 366834 10328->10331 10332 3668bf 10328->10332 10345 37c640 10329->10345 10336 3864f0 10331->10336 10334 3864f0 4 API calls 10332->10334 10335 366849 10334->10335 10338 386532 10336->10338 10337 386567 10337->10335 10338->10337 10341 3865c5 10338->10341 10353 376dc0 10338->10353 10340 376dc0 4 API calls 10342 386684 10340->10342 10341->10340 10341->10342 10358 377450 10342->10358 10346 37c6a0 10345->10346 10347 37c756 10346->10347 10348 376dc0 4 API calls 10346->10348 10349 3670e0 4 API calls 10347->10349 10350 37ca18 10347->10350 10348->10347 10351 37c7ba 10349->10351 10350->10335 10351->10350 10352 3670e0 4 API calls 10351->10352 10352->10351 10354 376df3 10353->10354 10355 376df9 10353->10355 10354->10341 10362 3670e0 10355->10362 10357 376e71 10357->10341 10359 3775ba 10358->10359 10360 37748f 10358->10360 10359->10335 10360->10359 10361 37c520 2 API calls 10360->10361 10361->10360 10363 367110 10362->10363 10367 367130 10362->10367 10364 376f00 2 API calls 10363->10364 10365 367127 10364->10365 10366 37c520 2 API calls 10365->10366 10365->10367 10366->10367 10367->10357 10368 382420 FlushFileBuffers 10369 382460 GetLastError 10368->10369 10370 3824a2 10368->10370 10371 374a29 10381 374a30 10371->10381 10372 3670e0 4 API calls 10372->10381 10373 375323 10376 375395 10373->10376 10377 375389 10373->10377 10374 376dc0 4 API calls 10374->10381 10375 377450 2 API calls 10382 374be5 10375->10382 10378 377450 2 API calls 10376->10378 10379 377450 2 API calls 10377->10379 10380 375390 10378->10380 10379->10380 10381->10372 10381->10374 10381->10382 10382->10373 10382->10375 10548 377496 10550 3774a0 10548->10550 10549 3775ba 10550->10549 10551 37c520 2 API calls 10550->10551 10551->10550 10552 365c90 10553 365c9b 10552->10553 10554 365ca7 10553->10554 10555 361fc0 2 API calls 10553->10555 10555->10554 10560 374290 10561 3742b3 10560->10561 10562 3742ba SetServiceStatus 10560->10562 10561->10562 10564 3742e7 SetServiceStatus SetEvent 10561->10564 10565 3742d3 10561->10565 10566 374350 10562->10566 10564->10566 10565->10564 10387 38fe10 10388 38fe46 10387->10388 10389 3899b0 3 API calls 10388->10389 10390 38ff15 10389->10390 10391 3660a0 10 API calls 10390->10391 10392 38ff81 10391->10392 10393 385860 lstrlen 10392->10393 10394 38ff97 10393->10394 10395 365730 2 API calls 10394->10395 10396 38ffcc 10395->10396 10397 383840 2 API calls 10396->10397 10401 390021 10397->10401 10398 38c080 12 API calls 10398->10401 10399 366660 8 API calls 10400 39074e Sleep 10399->10400 10400->10401 10401->10398 10401->10399 10403 37c250 6 API calls 10401->10403 10404 3838b0 3 API calls 10401->10404 10405 363dc0 GetSystemTimeAsFileTime 10401->10405 10407 382950 32 API calls 10401->10407 10408 36b980 9 API calls 10401->10408 10409 385810 8 API calls 10401->10409 10410 364460 8 API calls 10401->10410 10412 365730 GetProcessHeap RtlAllocateHeap 10401->10412 10413 3801b0 21 API calls 10401->10413 10414 383840 GetProcessHeap RtlFreeHeap 10401->10414 10415 375520 27 API calls 10401->10415 10416 3897d0 10401->10416 10427 375b60 10401->10427 10433 373880 10401->10433 10403->10401 10404->10401 10405->10401 10407->10401 10408->10401 10409->10401 10410->10401 10412->10401 10413->10401 10414->10401 10415->10401 10417 365730 2 API calls 10416->10417 10418 389826 10417->10418 10419 365730 2 API calls 10418->10419 10420 389841 10419->10420 10440 3777f0 10420->10440 10423 383840 2 API calls 10424 389877 10423->10424 10425 383840 2 API calls 10424->10425 10426 3898b6 10425->10426 10426->10401 10428 375b8e 10427->10428 10429 382300 2 API calls 10428->10429 10430 375bf4 10429->10430 10431 361890 8 API calls 10430->10431 10432 375cf8 10430->10432 10431->10432 10432->10401 10435 373898 10433->10435 10434 373aa3 10434->10401 10435->10434 10436 37398b DeleteFileA 10435->10436 10438 373a31 10435->10438 10446 36bab0 10435->10446 10436->10435 10438->10434 10451 389bd0 10438->10451 10441 37781d 10440->10441 10442 365730 2 API calls 10441->10442 10443 377b66 10442->10443 10444 383840 2 API calls 10443->10444 10445 377b95 10444->10445 10445->10423 10455 38c460 10446->10455 10448 36bacd 10459 362870 10448->10459 10452 389c07 10451->10452 10453 389c9b 10452->10453 10474 361060 10452->10474 10453->10438 10456 38c478 10455->10456 10457 390850 8 API calls 10456->10457 10458 38c4b6 10457->10458 10458->10448 10460 36287e 10459->10460 10461 362890 10460->10461 10463 364e20 10460->10463 10461->10435 10466 388a40 10463->10466 10465 364e2f 10465->10461 10467 388a52 10466->10467 10470 36baf0 10467->10470 10469 388a68 10469->10465 10471 36bafb 10470->10471 10472 37cb30 8 API calls 10471->10472 10473 36bb3c 10472->10473 10473->10469 10477 384d20 10474->10477 10478 384d4b 10477->10478 10481 3814f0 10478->10481 10480 36106e 10480->10453 10482 38152d 10481->10482 10483 390850 8 API calls 10482->10483 10484 3815b9 10483->10484 10484->10480 10694 386d10 10695 386d4b 10694->10695 10696 362ef0 2 API calls 10695->10696 10697 386d50 10696->10697 10698 3620e0 3 API calls 10697->10698 10699 386d5f 10698->10699 10700 386e43 ExitProcess 10699->10700 10485 381814 10488 381820 10485->10488 10486 38184d ReadFile 10487 3818fa 10486->10487 10486->10488 10488->10486 10488->10487 10489 361890 8 API calls 10488->10489 10489->10488 11360 385b96 11361 385ba0 11360->11361 11362 383840 2 API calls 11361->11362 11363 385e79 11362->11363 10490 361000 10491 361024 10490->10491 10494 3640b0 lstrlen 10491->10494 10493 361038 10494->10493 10701 361300 10702 36131b 10701->10702 10757 381a90 10702->10757 10704 361394 10705 3897d0 4 API calls 10704->10705 10711 36178c 10704->10711 10706 3613f9 10705->10706 10707 365730 2 API calls 10706->10707 10708 361419 10707->10708 10709 36b980 9 API calls 10708->10709 10710 36144e 10709->10710 10712 383840 2 API calls 10710->10712 10713 361468 10712->10713 10760 365cc0 10713->10760 10718 385810 8 API calls 10719 3614ae 10718->10719 10720 365730 2 API calls 10719->10720 10721 3614e8 10720->10721 10722 384a90 9 API calls 10721->10722 10723 36150d 10722->10723 10724 385810 8 API calls 10723->10724 10725 361519 10724->10725 10726 383840 2 API calls 10725->10726 10727 361533 10726->10727 10728 375b60 8 API calls 10727->10728 10729 361573 10728->10729 10730 385810 8 API calls 10729->10730 10731 36157c 10730->10731 10766 386b70 10731->10766 10733 3615a6 10770 3644a0 10733->10770 10735 3615c0 10736 388ba0 9 API calls 10735->10736 10737 3615fb 10736->10737 10827 367640 10737->10827 10740 365730 2 API calls 10741 361635 10740->10741 10742 384a90 9 API calls 10741->10742 10743 361661 10742->10743 10744 385810 8 API calls 10743->10744 10745 36166d 10744->10745 10746 383840 2 API calls 10745->10746 10747 361694 10746->10747 10748 361890 8 API calls 10747->10748 10749 3616c2 10748->10749 10750 366660 8 API calls 10749->10750 10751 361716 10750->10751 10752 365730 2 API calls 10751->10752 10753 361754 10752->10753 10831 3801b0 10753->10831 10755 36177a 10756 383840 2 API calls 10755->10756 10756->10711 10758 361890 8 API calls 10757->10758 10759 381abf SetEvent 10758->10759 10759->10704 10931 36ab70 10760->10931 10763 3776c0 10764 388a40 8 API calls 10763->10764 10765 3614a2 10764->10765 10765->10718 10767 386b8d 10766->10767 10768 3814f0 8 API calls 10767->10768 10769 386c57 10768->10769 10769->10733 10771 3644c4 10770->10771 10772 365730 2 API calls 10771->10772 10777 364611 10771->10777 10773 3645e0 10772->10773 10774 36b980 9 API calls 10773->10774 10775 3645ff 10774->10775 10776 383840 2 API calls 10775->10776 10776->10777 10778 3646a4 10777->10778 10779 364789 10777->10779 10780 365730 2 API calls 10778->10780 10783 365730 2 API calls 10779->10783 10781 3646c6 10780->10781 10782 36b980 9 API calls 10781->10782 10785 3646e5 10782->10785 10784 3647cf 10783->10784 10939 363640 10784->10939 10787 383840 2 API calls 10785->10787 10789 36476a 10787->10789 10788 3647f9 10790 383840 2 API calls 10788->10790 10789->10735 10791 364819 10790->10791 10792 36483f 10791->10792 10793 3648ac 10791->10793 10794 365730 2 API calls 10792->10794 10952 365600 GetModuleFileNameA 10793->10952 10797 364855 10794->10797 10800 36b980 9 API calls 10797->10800 10798 36493c 10802 365f60 lstrlen 10798->10802 10799 3648c9 10801 365730 2 API calls 10799->10801 10803 364886 10800->10803 10804 3648e9 10801->10804 10805 364967 10802->10805 10806 383840 2 API calls 10803->10806 10807 36b980 9 API calls 10804->10807 10954 38b310 10805->10954 10809 364898 10806->10809 10810 364901 10807->10810 10809->10735 10812 383840 2 API calls 10810->10812 10813 36491f 10812->10813 10813->10735 10816 365730 2 API calls 10817 3649d2 10816->10817 10818 383840 2 API calls 10817->10818 10819 3649fd 10818->10819 10962 3640b0 lstrlen 10819->10962 10821 364a3e 10822 383060 5 API calls 10821->10822 10823 364a79 10822->10823 10963 38eeb0 10823->10963 10826 364bb6 10826->10735 10828 36765b 10827->10828 10829 386ff0 8 API calls 10828->10829 10830 36161f 10829->10830 10830->10740 10832 380218 10831->10832 10833 363dc0 GetSystemTimeAsFileTime 10832->10833 10834 3802bf 10833->10834 11160 3640b0 lstrlen 10834->11160 10836 380342 10836->10755 10838 380300 10838->10836 11161 3640b0 lstrlen 10838->11161 10839 3804d8 11162 3640b0 lstrlen 10839->11162 10841 3804e6 10842 365730 2 API calls 10841->10842 10904 380b61 10841->10904 10843 3805a8 10842->10843 10844 36b980 9 API calls 10843->10844 10845 3805c0 10844->10845 10846 383840 2 API calls 10845->10846 10847 3805d2 10846->10847 10848 380779 10847->10848 10850 365730 2 API calls 10847->10850 10849 384a90 9 API calls 10848->10849 10851 3807b9 10849->10851 10852 380637 10850->10852 10853 385810 8 API calls 10851->10853 10855 3675a0 9 API calls 10852->10855 10854 3807c5 10853->10854 10856 365730 2 API calls 10854->10856 10858 380669 10855->10858 10857 3807e6 10856->10857 10859 384a90 9 API calls 10857->10859 10862 383840 2 API calls 10858->10862 10860 380810 10859->10860 10861 385810 8 API calls 10860->10861 10863 38081c 10861->10863 10864 3806aa 10862->10864 10865 383840 2 API calls 10863->10865 10864->10848 10866 386b70 8 API calls 10864->10866 10867 38084e 10865->10867 10869 380712 10866->10869 10868 384a90 9 API calls 10867->10868 10870 38086d 10868->10870 10872 365730 2 API calls 10869->10872 10871 385810 8 API calls 10870->10871 10876 38087c 10871->10876 10873 38074f 10872->10873 10874 36b980 9 API calls 10873->10874 10875 380767 10874->10875 10877 383840 2 API calls 10875->10877 10881 365730 2 API calls 10876->10881 10915 380a19 10876->10915 10877->10848 10878 365730 2 API calls 10879 380a59 10878->10879 10880 384a90 9 API calls 10879->10880 10882 380a77 10880->10882 10883 3808e7 10881->10883 10884 385810 8 API calls 10882->10884 10885 384a90 9 API calls 10883->10885 10889 380a83 10884->10889 10886 380902 10885->10886 10887 385810 8 API calls 10886->10887 10888 380911 10887->10888 10891 365730 2 API calls 10888->10891 10890 383840 2 API calls 10889->10890 10892 380acb 10890->10892 10893 380932 10891->10893 10894 380b1c socket 10892->10894 10896 385810 8 API calls 10892->10896 10895 383840 2 API calls 10893->10895 10900 380bb0 10894->10900 10894->10904 10897 380993 10895->10897 10896->10894 11163 36bba0 wvsprintfA 10897->11163 10898 380c70 gethostbyname 10899 380c99 inet_ntoa inet_addr htons connect 10898->10899 10898->10904 10905 380d44 10899->10905 10909 380d6d 10899->10909 10900->10898 10901 380c45 setsockopt 10900->10901 10901->10898 10904->10755 10905->10755 10906 3809d1 10907 383840 2 API calls 10906->10907 10908 3809e3 10907->10908 10910 384a90 9 API calls 10908->10910 10912 380d93 send 10909->10912 10911 380a0a 10910->10911 10913 385810 8 API calls 10911->10913 10914 380daf 10912->10914 10913->10915 10916 380db3 10914->10916 10917 366660 8 API calls 10914->10917 10915->10878 10916->10755 10930 380deb 10917->10930 10918 380e5b recv 10919 381275 closesocket 10918->10919 10918->10930 10919->10904 10920 3812ae 10919->10920 10922 386b70 8 API calls 10920->10922 10922->10904 10923 390850 8 API calls 10923->10930 10924 361890 8 API calls 10924->10930 10925 365730 GetProcessHeap RtlAllocateHeap 10925->10930 10926 381265 10926->10919 10927 383840 GetProcessHeap RtlFreeHeap 10927->10930 10929 3675a0 9 API calls 10929->10930 10930->10918 10930->10919 10930->10923 10930->10924 10930->10925 10930->10926 10930->10927 10930->10929 11164 362bb0 10930->11164 11168 3876d0 10930->11168 10932 36ab7b 10931->10932 10935 38c960 10932->10935 10936 38c97c 10935->10936 10937 386ff0 8 API calls 10936->10937 10938 361499 10937->10938 10938->10763 10941 363672 10939->10941 10940 3636d6 10940->10788 10941->10940 10987 362710 10941->10987 10945 3637bd 10948 363772 10945->10948 10997 366bf0 10945->10997 10947 363834 11004 362f90 10947->11004 11015 384b20 10948->11015 10953 3648c2 10952->10953 10953->10798 10953->10799 10955 38b367 10954->10955 10956 364994 10955->10956 10957 387040 8 API calls 10955->10957 10958 363480 10956->10958 10957->10956 10961 3634a7 10958->10961 10959 3635ea 10959->10816 10960 38b310 8 API calls 10960->10961 10961->10959 10961->10960 10962->10821 10964 38efa4 10963->10964 10965 38efd0 CreatePipe 10964->10965 10966 38f038 SetHandleInformation CreatePipe 10965->10966 10970 38f015 10965->10970 10968 38f0b0 10966->10968 10969 38f104 SetHandleInformation 10966->10969 10971 38f377 CloseHandle 10968->10971 10976 38f167 10969->10976 10974 366660 8 API calls 10970->10974 10975 364b5e DeleteFileA 10970->10975 10971->10970 10973 38f3a5 CloseHandle 10971->10973 10973->10970 10974->10975 10975->10826 10977 38f297 CreateProcessA 10976->10977 10978 38f2e0 10977->10978 10979 38f42a WriteFile 10978->10979 10980 38f345 CloseHandle CloseHandle 10978->10980 10979->10980 10982 38f49f CloseHandle CloseHandle 10979->10982 10980->10971 10984 38f502 10982->10984 11153 381720 10984->11153 10988 36274d 10987->10988 10989 3670e0 4 API calls 10988->10989 10990 3627bd 10989->10990 10991 3852f0 4 API calls 10990->10991 10992 3627e3 10990->10992 10991->10992 10992->10948 10993 3852f0 10992->10993 10994 385311 10993->10994 10995 3670e0 4 API calls 10994->10995 10996 38533c 10995->10996 10996->10945 11018 3735f0 10997->11018 11001 366c50 11030 3885e0 11001->11030 11003 366c6a 11003->10947 11005 362f9d 11004->11005 11006 363470 11005->11006 11042 38fc20 11005->11042 11006->10948 11008 36307d 11009 365730 2 API calls 11008->11009 11011 3630f5 11008->11011 11014 3632fa 11008->11014 11012 3632ab 11009->11012 11010 365730 2 API calls 11010->11011 11011->10948 11012->11011 11013 383840 2 API calls 11012->11013 11013->11014 11014->11010 11014->11011 11016 377450 2 API calls 11015->11016 11017 363984 11016->11017 11017->10788 11019 37360f 11018->11019 11020 365730 2 API calls 11019->11020 11021 373686 11020->11021 11022 383840 2 API calls 11021->11022 11023 366c32 11022->11023 11024 377bf0 11023->11024 11025 377c2d 11024->11025 11026 377de8 11024->11026 11029 377d1d 11025->11029 11036 385950 11025->11036 11026->11001 11028 385950 4 API calls 11028->11029 11029->11026 11029->11028 11031 388665 11030->11031 11032 377bf0 4 API calls 11031->11032 11033 3888e3 11032->11033 11034 377bf0 4 API calls 11033->11034 11035 388909 11034->11035 11035->11003 11037 3859a4 11036->11037 11038 365730 2 API calls 11037->11038 11039 385b5f 11038->11039 11040 383840 2 API calls 11039->11040 11041 385e79 11040->11041 11041->11029 11043 38fc5c 11042->11043 11044 362710 4 API calls 11043->11044 11046 38fc82 11044->11046 11045 377450 2 API calls 11047 38fda5 11045->11047 11048 38fd03 11046->11048 11049 38fcb5 11046->11049 11053 38fd51 11046->11053 11047->11008 11054 374420 11048->11054 11050 377450 2 API calls 11049->11050 11052 38fcea 11050->11052 11052->11008 11053->11045 11056 37444f 11054->11056 11055 3753c0 11055->11053 11056->11055 11057 3670e0 4 API calls 11056->11057 11058 374686 11057->11058 11060 3670e0 4 API calls 11058->11060 11088 374be5 11058->11088 11059 375323 11064 375395 11059->11064 11065 375389 11059->11065 11061 3746cf 11060->11061 11063 3670e0 4 API calls 11061->11063 11061->11088 11062 377450 2 API calls 11062->11088 11069 37470a 11063->11069 11066 377450 2 API calls 11064->11066 11067 377450 2 API calls 11065->11067 11068 375390 11066->11068 11067->11068 11068->11053 11070 3852f0 4 API calls 11069->11070 11080 37473a 11069->11080 11069->11088 11071 374789 11070->11071 11071->11088 11090 373b00 11071->11090 11073 3747b1 11073->11088 11094 3722e0 11073->11094 11074 37488f 11077 376dc0 4 API calls 11074->11077 11075 37487c 11078 3722e0 4 API calls 11075->11078 11079 37488a 11077->11079 11078->11079 11081 376dc0 4 API calls 11079->11081 11080->11074 11080->11075 11080->11088 11082 3748eb 11081->11082 11083 3670e0 4 API calls 11082->11083 11082->11088 11084 374980 11083->11084 11085 376dc0 4 API calls 11084->11085 11084->11088 11087 3749af 11085->11087 11086 3670e0 4 API calls 11086->11087 11087->11086 11087->11088 11089 376dc0 4 API calls 11087->11089 11088->11059 11088->11062 11089->11087 11091 373b94 11090->11091 11092 3670e0 4 API calls 11091->11092 11093 373bca 11091->11093 11092->11093 11093->11073 11093->11093 11095 37232a 11094->11095 11102 375f50 11095->11102 11097 3723cf 11097->11080 11098 3667e0 4 API calls 11099 372356 11098->11099 11099->11097 11099->11098 11101 372396 11099->11101 11101->11097 11144 387930 11101->11144 11104 375f9b 11102->11104 11103 375fc0 11103->11099 11104->11103 11105 3760a5 11104->11105 11106 37603b 11104->11106 11107 376dc0 4 API calls 11105->11107 11108 376054 11106->11108 11109 3852f0 4 API calls 11106->11109 11113 3760b9 11107->11113 11110 376086 11108->11110 11111 376dc0 4 API calls 11108->11111 11134 376079 11108->11134 11109->11108 11110->11099 11111->11134 11112 377450 2 API calls 11114 376d9a 11112->11114 11115 376dc0 4 API calls 11113->11115 11113->11134 11114->11099 11116 37612e 11115->11116 11117 3670e0 4 API calls 11116->11117 11116->11134 11118 37617a 11117->11118 11119 3852f0 4 API calls 11118->11119 11118->11134 11120 37619b 11119->11120 11121 3670e0 4 API calls 11120->11121 11120->11134 11122 3761c5 11121->11122 11123 3670e0 4 API calls 11122->11123 11122->11134 11124 3761e7 11123->11124 11125 373b00 4 API calls 11124->11125 11126 3762c4 11124->11126 11124->11134 11128 376277 11125->11128 11127 373b00 4 API calls 11126->11127 11126->11134 11131 376391 11127->11131 11129 373b00 4 API calls 11128->11129 11128->11134 11129->11126 11130 387930 4 API calls 11130->11131 11131->11130 11138 37641d 11131->11138 11132 376c28 11133 376dc0 4 API calls 11132->11133 11135 376c7a 11132->11135 11133->11135 11134->11110 11134->11112 11135->11134 11136 376dc0 4 API calls 11135->11136 11136->11134 11137 3852f0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11137->11138 11138->11132 11138->11134 11138->11137 11139 3611a0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11138->11139 11140 387930 4 API calls 11138->11140 11141 376dc0 4 API calls 11138->11141 11142 373b00 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11138->11142 11143 3667e0 4 API calls 11138->11143 11139->11138 11140->11138 11141->11138 11142->11138 11143->11138 11145 387978 11144->11145 11146 387b39 11144->11146 11148 38799d 11145->11148 11149 387a45 11145->11149 11147 37c640 4 API calls 11146->11147 11152 3879c4 11147->11152 11151 3864f0 4 API calls 11148->11151 11150 3864f0 4 API calls 11149->11150 11150->11152 11151->11152 11152->11101 11154 38172d 11153->11154 11155 366660 8 API calls 11154->11155 11158 3817f3 11155->11158 11156 38184d ReadFile 11157 3818fa WaitForSingleObject CloseHandle CloseHandle 11156->11157 11156->11158 11157->10970 11158->11156 11158->11157 11159 361890 8 API calls 11158->11159 11159->11158 11160->10838 11161->10839 11162->10841 11163->10906 11165 362bd3 11164->11165 11167 362c20 11164->11167 11166 363dc0 GetSystemTimeAsFileTime 11165->11166 11166->11167 11167->10930 11169 365730 2 API calls 11168->11169 11170 38770d 11169->11170 11171 3675a0 9 API calls 11170->11171 11172 387742 11171->11172 11173 383840 2 API calls 11172->11173 11175 387786 11173->11175 11174 3877b9 11174->10930 11175->11174 11176 365730 2 API calls 11175->11176 11177 387816 11176->11177 11178 3675a0 9 API calls 11177->11178 11179 387867 11178->11179 11180 383840 2 API calls 11179->11180 11181 387898 11180->11181 11181->10930 11182 381300 11183 382320 lstrlen 11182->11183 11184 38130f 11183->11184 11372 37c389 11373 37c390 11372->11373 11375 37c4a2 CloseHandle 11373->11375 11376 37c441 Process32Next 11373->11376 11379 372290 lstrlen CharLowerBuffA 11373->11379 11378 37c4e5 11375->11378 11376->11373 11376->11375 11379->11373 11185 373f74 11188 373f80 11185->11188 11186 373fbd Sleep 11187 363dc0 GetSystemTimeAsFileTime 11186->11187 11187->11188 11188->11186 11189 373feb 11188->11189 10571 3784f0 10572 37850d 10571->10572 10581 3640b0 lstrlen 10572->10581 10574 378575 10575 390850 8 API calls 10574->10575 10576 37858f 10575->10576 10577 3838a0 9 API calls 10576->10577 10578 3785b9 10577->10578 10582 384ae0 10578->10582 10581->10574 10583 384aee 10582->10583 10584 361890 8 API calls 10583->10584 10585 378617 10584->10585 10586 38f6f0 10587 377330 12 API calls 10586->10587 10588 38f70d 10587->10588 10589 361890 8 API calls 10588->10589 10590 38f776 10589->10590 11380 381ff6 11387 382000 11380->11387 11382 3821e9 Process32Next 11383 382255 CloseHandle 11382->11383 11382->11387 11388 38228b 11383->11388 11384 382098 OpenProcess 11384->11387 11385 38210a TerminateProcess 11386 38217a CloseHandle 11385->11386 11385->11387 11386->11387 11387->11382 11387->11384 11387->11385 11387->11386 11389 372290 lstrlen CharLowerBuffA 11387->11389 11389->11387 10600 387ee8 10603 387db0 10600->10603 10601 366660 8 API calls 10602 3885a4 10601->10602 10604 388354 10603->10604 10605 38835c 10603->10605 10606 383840 GetProcessHeap RtlFreeHeap 10603->10606 10607 361890 8 API calls 10603->10607 10608 365730 GetProcessHeap RtlAllocateHeap 10603->10608 10610 3882d0 CreateThread CloseHandle 10603->10610 10611 381950 CreateEventA CreateThread CloseHandle WaitForSingleObject 10603->10611 10605->10601 10606->10603 10607->10603 10608->10603 10610->10603 10612 381a0c 10611->10612 10613 381a16 CloseHandle 10611->10613 10612->10613 10613->10603 10614 37c8e5 10616 37c8f0 10614->10616 10615 3670e0 4 API calls 10615->10616 10616->10615 10617 37ca18 10616->10617 11390 3653e0 11395 3626f0 11390->11395 11398 38ec80 11395->11398 11399 38ecae 11398->11399 11400 38ec8a 11398->11400 11401 37c520 2 API calls 11400->11401 11401->11399 11402 3753e0 11403 366660 8 API calls 11402->11403 11404 375425 11403->11404 11409 375db0 11404->11409 11406 366660 8 API calls 11408 3754fd 11406->11408 11407 375444 11407->11406 11410 375dc1 11409->11410 11411 386ff0 8 API calls 11410->11411 11412 375dd1 11411->11412 11412->11407 11190 381360 11191 381383 11190->11191 11196 385250 11191->11196 11194 384ae0 8 API calls 11195 3813e6 11194->11195 11197 385261 11196->11197 11198 386ff0 8 API calls 11197->11198 11199 3813cc 11198->11199 11199->11194 10622 38badc 10631 38bae0 10622->10631 10624 38bc51 CreateToolhelp32Snapshot 10624->10631 10625 365730 GetProcessHeap RtlAllocateHeap 10625->10631 10626 38bcde Module32First 10626->10631 10628 383840 GetProcessHeap RtlFreeHeap 10628->10631 10629 3838a0 9 API calls 10629->10631 10630 365f40 8 API calls 10632 38bdfd CloseHandle Process32Next 10630->10632 10631->10624 10631->10625 10631->10626 10631->10628 10631->10629 10631->10630 10633 38be76 CloseHandle 10631->10633 10635 3640b0 lstrlen 10631->10635 10636 36bba0 wvsprintfA 10631->10636 10632->10631 10635->10631 10636->10631 11416 362dd0 11419 38fb30 11416->11419 11420 385070 lstrlen 11419->11420 11421 362ddf 11420->11421 11208 37cf50 11213 362da0 11208->11213 11218 387620 11213->11218 11219 387645 11218->11219 11220 362cc0 8 API calls 11219->11220 11221 387660 11220->11221 11422 388dd6 11426 388de0 11422->11426 11423 383840 2 API calls 11425 389705 11423->11425 11424 365f40 8 API calls 11424->11426 11426->11424 11427 3891c9 11426->11427 11428 3838a0 9 API calls 11426->11428 11429 38969c 11427->11429 11430 365f40 8 API calls 11427->11430 11433 3895b0 11427->11433 11434 3838a0 9 API calls 11427->11434 11428->11426 11429->11423 11430->11427 11431 3838a0 9 API calls 11431->11433 11432 365f40 8 API calls 11432->11433 11433->11429 11433->11431 11433->11432 11434->11427 11222 374d58 11224 374d60 11222->11224 11223 375323 11226 375395 11223->11226 11227 375389 11223->11227 11224->11223 11225 377450 2 API calls 11224->11225 11225->11224 11228 377450 2 API calls 11226->11228 11229 377450 2 API calls 11227->11229 11230 375390 11228->11230 11229->11230 10640 3624c6 ExitProcess 9246 37b744 9247 37b7d3 9246->9247 9251 3700c8 9247->9251 9452 370ae8 9247->9452 9589 383840 9251->9589 9255 37010b 9256 383840 2 API calls 9255->9256 9257 37013a 9256->9257 9258 365730 2 API calls 9257->9258 9259 370180 9258->9259 9260 383840 2 API calls 9259->9260 9261 3701a9 9260->9261 9262 365730 2 API calls 9261->9262 9263 3701f9 9262->9263 9264 383840 2 API calls 9263->9264 9265 370219 9264->9265 9266 365730 2 API calls 9265->9266 9267 37027a 9266->9267 9268 383840 2 API calls 9267->9268 9269 370292 9268->9269 9270 383840 2 API calls 9269->9270 9271 3702d0 9270->9271 9597 37c520 9271->9597 9275 37036d 9276 365730 2 API calls 9275->9276 9277 3703c5 GetEnvironmentVariableA 9276->9277 9279 383840 2 API calls 9277->9279 9280 370414 CreateMutexA CreateMutexA CreateMutexA 9279->9280 9606 366460 9280->9606 9282 3704b5 9283 37060b 9282->9283 9285 37057f GetTickCount 9282->9285 9286 37056a 9282->9286 9610 372490 9283->9610 9288 370593 9285->9288 9286->9285 9287 37061a GetCommandLineA 9292 370652 9287->9292 9290 365730 2 API calls 9288->9290 9291 3705a9 9290->9291 9294 383840 2 API calls 9291->9294 9293 365730 2 API calls 9292->9293 9296 3706e3 9293->9296 9295 3705de 9294->9295 9295->9283 9297 383840 2 API calls 9296->9297 9298 370711 9297->9298 9299 3711fc GetCommandLineA 9298->9299 9300 365730 2 API calls 9298->9300 9709 37bf70 9299->9709 9303 37077b 9300->9303 9302 37121a 9712 3640b0 lstrlen 9302->9712 9305 383840 2 API calls 9303->9305 9306 3707ff 9305->9306 9307 370845 9306->9307 9312 382780 ExitProcess 9306->9312 9309 365730 2 API calls 9307->9309 9313 37087a 9309->9313 9310 371257 GetModuleFileNameA 9713 372290 lstrlen CharLowerBuffA 9310->9713 9312->9307 9315 383840 2 API calls 9313->9315 9314 371347 9714 372290 lstrlen CharLowerBuffA 9314->9714 9316 3708ea 9315->9316 9318 370931 9316->9318 9320 382780 ExitProcess 9316->9320 9741 385860 9318->9741 9319 3713cd 9715 372290 lstrlen CharLowerBuffA 9319->9715 9320->9318 9324 365730 2 API calls 9326 370972 9324->9326 9325 3716fa 9790 3672e0 9325->9790 9328 383840 2 API calls 9326->9328 9348 3709f1 9328->9348 9329 371752 9330 37177a 9329->9330 9331 382780 ExitProcess 9329->9331 9798 38cbe0 9330->9798 9331->9330 9333 3717df 9335 363dc0 GetSystemTimeAsFileTime 9333->9335 9336 371805 9335->9336 9894 365f60 9336->9894 9338 371406 9338->9325 9716 377f00 9338->9716 9341 371523 9722 3660a0 9341->9722 9342 370bbd Sleep 9344 36b150 5 API calls 9342->9344 9345 370bfc 9344->9345 9345->9348 9347 3716cf 9349 382780 ExitProcess 9347->9349 9348->9342 9351 370cd0 Sleep 9348->9351 9354 370cf4 9348->9354 9747 37c250 9348->9747 9757 36b150 9348->9757 9766 363dc0 9348->9766 9349->9325 9350 37156e 9350->9347 9353 365730 2 API calls 9350->9353 9351->9348 9352 37182e 9355 37192c WSAStartup 9352->9355 9356 37160a 9353->9356 9357 37c250 6 API calls 9354->9357 9363 370df4 9354->9363 9364 370d81 9354->9364 9358 371965 9355->9358 9367 3719c2 9355->9367 9737 3640b0 lstrlen 9356->9737 9357->9354 9361 365730 2 API calls 9358->9361 9360 37161f MessageBoxA 9362 371682 9360->9362 9365 37197b 9361->9365 9366 383840 2 API calls 9362->9366 9369 36b150 5 API calls 9363->9369 9770 381e90 9364->9770 9898 37d060 9365->9898 9370 3716a3 9366->9370 9371 371a73 9367->9371 9903 3824e0 9367->9903 9373 370e1c 9369->9373 9738 382780 9370->9738 9382 371ab4 CloseHandle SetFileAttributesA CopyFileA 9371->9382 9397 371d89 9371->9397 9372 370da0 Sleep 9372->9354 9372->9363 9377 371178 9373->9377 9380 370e9a GetModuleFileNameA SetFileAttributesA CopyFileA 9373->9380 9381 370e88 9373->9381 9783 3838b0 9377->9783 9378 371a22 9384 371a43 9378->9384 9389 382780 ExitProcess 9378->9389 9383 365730 2 API calls 9380->9383 9381->9380 9386 371b15 SetFileAttributesA 9382->9386 9387 371cf0 9382->9387 9388 370f2b 9383->9388 9914 373ec0 9384->9914 9403 371b60 9386->9403 9946 366590 WaitForSingleObject 9387->9946 9396 383840 2 API calls 9388->9396 9389->9384 9391 382780 ExitProcess 9391->9299 9394 37c250 6 API calls 9394->9397 9398 370f61 9396->9398 9397->9394 9400 371e13 SetFileAttributesA CopyFileA 9397->9400 9404 381e90 9 API calls 9397->9404 9402 370ff1 9398->9402 9412 365730 2 API calls 9398->9412 9399 371bf1 9408 371c4e Sleep 9399->9408 9935 377110 9399->9935 9405 371e74 SetFileAttributesA 9400->9405 9406 371e62 9400->9406 9401 382780 ExitProcess 9401->9397 9410 3710d7 SetFileAttributesA 9402->9410 9411 371085 SetFileAttributesA 9402->9411 9403->9399 9922 378200 9403->9922 9413 371de4 Sleep 9404->9413 9407 385860 lstrlen 9405->9407 9406->9405 9415 371e97 9407->9415 9419 371cc6 9408->9419 9421 3710f9 9410->9421 9411->9421 9422 370fab 9412->9422 9413->9397 9413->9400 9418 365730 2 API calls 9415->9418 9424 371ec7 9418->9424 9420 3838b0 3 API calls 9419->9420 9420->9387 9421->9377 9423 383840 2 API calls 9422->9423 9423->9402 9425 365730 2 API calls 9424->9425 9426 371f1f 9425->9426 9427 383840 2 API calls 9426->9427 9428 371f36 9427->9428 9948 3835c0 9428->9948 9430 371f4d 9431 383840 2 API calls 9430->9431 9432 371f6e 9431->9432 9955 38c080 9432->9955 9435 365730 2 API calls 9436 371fa9 9435->9436 9437 365730 2 API calls 9436->9437 9438 371fcd 9437->9438 9976 36bba0 wvsprintfA 9438->9976 9440 371fed 9441 383840 2 API calls 9440->9441 9442 372017 9441->9442 9443 383840 2 API calls 9442->9443 9444 372047 9443->9444 9445 3838b0 3 API calls 9444->9445 9447 3720a3 9445->9447 9446 372185 CreateThread 9448 3721ca 9446->9448 9449 3721b3 9446->9449 9447->9446 9450 3721f0 Sleep 9448->9450 9977 385010 StartServiceCtrlDispatcherA 9449->9977 9450->9450 9459 370af0 9452->9459 9453 37c250 6 API calls 9453->9459 9454 36b150 5 API calls 9454->9459 9455 370bbd Sleep 9457 36b150 5 API calls 9455->9457 9456 363dc0 GetSystemTimeAsFileTime 9456->9459 9458 370bfc 9457->9458 9458->9459 9459->9453 9459->9454 9459->9455 9459->9456 9460 370cd0 Sleep 9459->9460 9461 370cf4 9459->9461 9460->9459 9462 37c250 6 API calls 9461->9462 9463 370df4 9461->9463 9464 370d81 9461->9464 9462->9461 9466 36b150 5 API calls 9463->9466 9465 381e90 9 API calls 9464->9465 9467 370da0 Sleep 9465->9467 9468 370e1c 9466->9468 9467->9461 9467->9463 9469 371178 9468->9469 9471 370e9a GetModuleFileNameA SetFileAttributesA CopyFileA 9468->9471 9472 370e88 9468->9472 9470 3838b0 3 API calls 9469->9470 9474 37119f 9470->9474 9473 365730 2 API calls 9471->9473 9472->9471 9475 370f2b 9473->9475 9476 382780 ExitProcess 9474->9476 9479 383840 2 API calls 9475->9479 9477 3711fc GetCommandLineA 9476->9477 9478 37bf70 lstrlen 9477->9478 9480 37121a 9478->9480 9481 370f61 9479->9481 10288 3640b0 lstrlen 9480->10288 9482 370ff1 9481->9482 9485 365730 2 API calls 9481->9485 9483 3710d7 SetFileAttributesA 9482->9483 9484 371085 SetFileAttributesA 9482->9484 9488 3710f9 9483->9488 9484->9488 9489 370fab 9485->9489 9488->9469 9493 383840 2 API calls 9489->9493 9491 371257 GetModuleFileNameA 10289 372290 lstrlen CharLowerBuffA 9491->10289 9493->9482 9494 371347 10290 372290 lstrlen CharLowerBuffA 9494->10290 9496 3713cd 10291 372290 lstrlen CharLowerBuffA 9496->10291 9498 3716fa 9499 3672e0 6 API calls 9498->9499 9500 371752 9499->9500 9501 37177a 9500->9501 9502 382780 ExitProcess 9500->9502 9503 38cbe0 25 API calls 9501->9503 9502->9501 9504 3717df 9503->9504 9505 363dc0 GetSystemTimeAsFileTime 9504->9505 9506 371805 9505->9506 9507 365f60 lstrlen 9506->9507 9515 37182e 9507->9515 9508 371406 9508->9498 9509 377f00 16 API calls 9508->9509 9510 371523 9509->9510 9511 3660a0 10 API calls 9510->9511 9514 37156e 9511->9514 9512 3716cf 9513 382780 ExitProcess 9512->9513 9513->9498 9514->9512 9516 365730 2 API calls 9514->9516 9517 37192c WSAStartup 9515->9517 9518 37160a 9516->9518 9519 371965 9517->9519 9526 3719c2 9517->9526 10292 3640b0 lstrlen 9518->10292 9522 365730 2 API calls 9519->9522 9521 37161f MessageBoxA 9523 371682 9521->9523 9524 37197b 9522->9524 9525 383840 2 API calls 9523->9525 9529 37d060 2 API calls 9524->9529 9527 3716a3 9525->9527 9528 371a73 9526->9528 9531 3824e0 15 API calls 9526->9531 9530 382780 ExitProcess 9527->9530 9533 371ab4 CloseHandle SetFileAttributesA CopyFileA 9528->9533 9543 371d89 9528->9543 9529->9526 9530->9512 9532 371a22 9531->9532 9534 371a43 9532->9534 9537 382780 ExitProcess 9532->9537 9535 371b15 SetFileAttributesA 9533->9535 9536 371cf0 9533->9536 9539 373ec0 2 API calls 9534->9539 9547 371b60 9535->9547 9540 366590 WaitForSingleObject 9536->9540 9537->9534 9539->9528 9542 371d49 9540->9542 9541 37c250 6 API calls 9541->9543 9546 382780 ExitProcess 9542->9546 9543->9541 9545 371e13 SetFileAttributesA CopyFileA 9543->9545 9548 381e90 9 API calls 9543->9548 9544 371bf1 9552 371c4e Sleep 9544->9552 9553 377110 8 API calls 9544->9553 9549 371e74 SetFileAttributesA 9545->9549 9550 371e62 9545->9550 9546->9543 9547->9544 9555 378200 9 API calls 9547->9555 9554 371de4 Sleep 9548->9554 9551 385860 lstrlen 9549->9551 9550->9549 9556 371e97 9551->9556 9559 371cc6 9552->9559 9553->9552 9554->9543 9554->9545 9555->9544 9558 365730 2 API calls 9556->9558 9561 371ec7 9558->9561 9560 3838b0 3 API calls 9559->9560 9560->9536 9562 365730 2 API calls 9561->9562 9563 371f1f 9562->9563 9564 383840 2 API calls 9563->9564 9565 371f36 9564->9565 9566 3835c0 3 API calls 9565->9566 9567 371f4d 9566->9567 9568 383840 2 API calls 9567->9568 9569 371f6e 9568->9569 9570 38c080 12 API calls 9569->9570 9571 371f93 9570->9571 9572 365730 2 API calls 9571->9572 9573 371fa9 9572->9573 9574 365730 2 API calls 9573->9574 9575 371fcd 9574->9575 10293 36bba0 wvsprintfA 9575->10293 9577 371fed 9578 383840 2 API calls 9577->9578 9579 372017 9578->9579 9580 383840 2 API calls 9579->9580 9581 372047 9580->9581 9582 3838b0 3 API calls 9581->9582 9584 3720a3 9582->9584 9583 372185 CreateThread 9585 3721ca 9583->9585 9586 3721b3 9583->9586 9584->9583 9587 3721f0 Sleep 9585->9587 10294 385010 StartServiceCtrlDispatcherA 9586->10294 9587->9587 9590 383863 9589->9590 9591 37c520 2 API calls 9590->9591 9592 3700d0 9591->9592 9593 365730 9592->9593 9594 365776 9593->9594 9978 376f00 9594->9978 9596 36580a 9596->9255 9598 37c543 GetProcessHeap RtlFreeHeap 9597->9598 9599 37c52f 9597->9599 9600 37031a 9598->9600 9599->9598 9601 3899b0 GetSystemTime 9600->9601 9602 389a49 9601->9602 9603 363dc0 GetSystemTimeAsFileTime 9602->9603 9604 389b45 GetTickCount 9603->9604 9605 389b83 9604->9605 9605->9275 9607 390bf0 9606->9607 9608 376f00 2 API calls 9607->9608 9609 390c06 9608->9609 9609->9282 9612 3724c4 9610->9612 9611 372505 GetVersionExA 9981 38c640 9611->9981 9612->9611 9616 37273f 9618 365730 2 API calls 9616->9618 9620 37279f 9618->9620 10004 36b980 9620->10004 9623 37262c 9625 3726c7 CreateDirectoryA 9623->9625 9624 383840 2 API calls 9628 3727eb 9624->9628 9626 365730 2 API calls 9625->9626 9627 372711 9626->9627 9629 383840 2 API calls 9627->9629 10007 383060 9628->10007 9629->9616 9631 372818 9632 372823 DeleteFileA RemoveDirectoryA 9631->9632 9633 3728bc 9631->9633 9632->9633 9634 378090 6 API calls 9633->9634 9635 3728e8 9634->9635 9636 37291f CreateDirectoryA 9635->9636 9637 37296a 9636->9637 9638 385860 lstrlen 9637->9638 9639 3729cb CreateDirectoryA 9638->9639 9640 365730 2 API calls 9639->9640 9641 372a0b 9640->9641 9642 365730 2 API calls 9641->9642 9643 372a44 9642->9643 9644 383840 2 API calls 9643->9644 9645 372a60 9644->9645 9646 36b980 9 API calls 9645->9646 9647 372a7c 9646->9647 9648 383840 2 API calls 9647->9648 9649 372a96 9648->9649 9650 383060 5 API calls 9649->9650 9651 372ad4 9650->9651 9652 373405 9651->9652 9653 372b54 9651->9653 9654 372af2 9651->9654 9657 385860 lstrlen 9652->9657 9655 365730 2 API calls 9653->9655 9656 365730 2 API calls 9654->9656 9658 372b71 9655->9658 9659 372b08 9656->9659 9660 373437 SetFileAttributesA 9657->9660 10027 36bba0 wvsprintfA 9658->10027 10026 36bba0 wvsprintfA 9659->10026 9669 37346e 9660->9669 9662 372b28 9664 383840 2 API calls 9662->9664 9666 372b3a 9664->9666 9665 372bde 9667 383840 2 API calls 9665->9667 9668 372c60 9666->9668 9667->9666 9670 372c7c CreateDirectoryA 9668->9670 9669->9287 9671 372cd3 9670->9671 9672 385860 lstrlen 9671->9672 9673 372d51 CreateDirectoryA 9672->9673 9674 365730 2 API calls 9673->9674 9675 372d99 9674->9675 9676 365730 2 API calls 9675->9676 9677 372de9 9676->9677 9678 383840 2 API calls 9677->9678 9679 372dfd 9678->9679 9680 36b980 9 API calls 9679->9680 9681 372e13 9680->9681 9682 383840 2 API calls 9681->9682 9683 372e36 9682->9683 9684 383060 5 API calls 9683->9684 9685 372e8f 9684->9685 9686 372e9a GetTempPathA 9685->9686 9708 373327 9685->9708 10028 3640b0 lstrlen 9686->10028 9688 372edc 9689 385860 lstrlen 9688->9689 9690 373052 CreateDirectoryA 9689->9690 9691 365730 2 API calls 9690->9691 9692 373097 9691->9692 9693 365730 2 API calls 9692->9693 9694 3730fc 9693->9694 9695 383840 2 API calls 9694->9695 9696 373141 9695->9696 9697 36b980 9 API calls 9696->9697 9698 373171 9697->9698 9699 383840 2 API calls 9698->9699 9700 37319c 9699->9700 9701 383060 5 API calls 9700->9701 9702 3731c9 9701->9702 9703 3731d4 GetTempPathA 9702->9703 9702->9708 9704 373226 9703->9704 9705 365730 2 API calls 9704->9705 9706 3732b1 9705->9706 9707 383840 2 API calls 9706->9707 9707->9708 9708->9652 10064 3640b0 lstrlen 9709->10064 9711 37bfcb 9711->9302 9712->9310 9713->9314 9714->9319 9715->9338 9717 377f27 9716->9717 10065 38a760 9717->10065 9719 377f5b 9720 3838b0 3 API calls 9719->9720 9721 377f73 9720->9721 9721->9341 9723 3660d3 9722->9723 9732 3663c4 9722->9732 10107 3640b0 lstrlen 9723->10107 9725 366175 Sleep 9726 3661cd 9725->9726 9727 365730 2 API calls 9726->9727 9728 3661ff 9727->9728 9729 383840 2 API calls 9728->9729 9730 36622a FindFirstFileA 9729->9730 9730->9732 9733 36628f 9730->9733 9732->9350 9734 36631e DeleteFileA 9733->9734 9735 366379 FindNextFileA 9733->9735 9734->9733 9735->9733 9736 366392 FindClose 9735->9736 9736->9732 9737->9360 10108 36ad30 9738->10108 9740 382798 ExitProcess 9742 385879 9741->9742 9743 365f60 lstrlen 9742->9743 9745 3858ab 9743->9745 9744 37095c 9744->9324 9745->9744 10110 3640b0 lstrlen 9745->10110 9748 37c270 CreateToolhelp32Snapshot 9747->9748 9750 37c4e5 9748->9750 9751 37c32c Process32First 9748->9751 9750->9348 9752 37c4ca CloseHandle 9751->9752 9754 37c387 9751->9754 9752->9750 9755 37c441 Process32Next 9754->9755 9756 37c4a2 9754->9756 10111 372290 lstrlen CharLowerBuffA 9754->10111 9755->9754 9755->9756 9756->9752 9758 36b1bb CreateFileA 9757->9758 9759 36b1a9 9757->9759 9760 36b1fe 9758->9760 9761 36b21c GetFileTime 9758->9761 9759->9758 9760->9348 9762 36b284 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 9761->9762 9763 36b260 CloseHandle 9761->9763 9764 36b2ec GetFileSize CloseHandle 9762->9764 9763->9348 9765 36b34c 9764->9765 9765->9348 9767 363e2d GetSystemTimeAsFileTime 9766->9767 9768 363df8 9766->9768 9769 363e79 __aulldiv 9767->9769 9768->9767 9769->9348 9771 381f1c CreateToolhelp32Snapshot 9770->9771 9773 381f7f 9771->9773 9774 381fd4 Process32First 9773->9774 9776 38228b 9773->9776 9775 382255 CloseHandle 9774->9775 9782 381ff4 9774->9782 9775->9776 9776->9372 9778 3821e9 Process32Next 9778->9775 9778->9782 9779 382098 OpenProcess 9779->9782 9780 38210a TerminateProcess 9781 38217a CloseHandle 9780->9781 9780->9782 9781->9782 9782->9778 9782->9779 9782->9780 9782->9781 10112 372290 lstrlen CharLowerBuffA 9782->10112 9784 3838d4 9783->9784 9785 3839b5 CreateProcessA 9784->9785 9786 383a1a 9785->9786 9787 37119f 9785->9787 9788 383a3a CloseHandle CloseHandle 9786->9788 9789 383a26 9786->9789 9787->9391 9788->9787 9789->9788 9791 385860 lstrlen 9790->9791 9792 367353 9791->9792 9793 365730 2 API calls 9792->9793 9794 367387 9793->9794 9795 383840 2 API calls 9794->9795 9796 36742f CreateFileA 9795->9796 9797 36747b 9796->9797 9797->9329 9799 38cc70 9798->9799 9800 366460 2 API calls 9799->9800 9802 38ccd6 9800->9802 9801 38cd3a GetComputerNameA 9803 38ce1e 9801->9803 9804 38cd55 9801->9804 9802->9801 9805 365730 2 API calls 9803->9805 9806 365730 2 API calls 9804->9806 9807 38cefb 9805->9807 9808 38cd6b 9806->9808 9810 383840 2 API calls 9807->9810 9809 383840 2 API calls 9808->9809 9809->9803 9811 38cf70 9810->9811 9812 36b980 9 API calls 9811->9812 9813 38cf8c 9812->9813 10113 364460 9813->10113 9815 38cfaa 10116 38db50 9815->10116 9817 38d075 10152 3640b0 lstrlen 9817->10152 9819 38d094 10153 384a90 9819->10153 9823 38d101 9824 364460 8 API calls 9823->9824 9825 38d132 9824->9825 9826 384a90 9 API calls 9825->9826 9827 38d16a 9826->9827 9828 385810 8 API calls 9827->9828 9829 38d179 9828->9829 9830 364460 8 API calls 9829->9830 9831 38d1d2 9830->9831 9832 384a90 9 API calls 9831->9832 9833 38d1f7 9832->9833 9834 385810 8 API calls 9833->9834 9835 38d206 9834->9835 9836 364460 8 API calls 9835->9836 9837 38d22d 9836->9837 9838 384a90 9 API calls 9837->9838 9839 38d26f 9838->9839 9840 385810 8 API calls 9839->9840 9841 38d27b 9840->9841 9842 364460 8 API calls 9841->9842 9843 38d297 9842->9843 9844 384a90 9 API calls 9843->9844 9845 38d2dc 9844->9845 9846 385810 8 API calls 9845->9846 9847 38d2eb 9846->9847 9848 364460 8 API calls 9847->9848 9849 38d30a 9848->9849 9850 365730 2 API calls 9849->9850 9851 38d32a 9850->9851 9852 384a90 9 API calls 9851->9852 9853 38d345 9852->9853 9854 385810 8 API calls 9853->9854 9855 38d354 9854->9855 9856 383840 2 API calls 9855->9856 9857 38d381 9856->9857 9858 364460 8 API calls 9857->9858 9859 38d3a2 9858->9859 9860 384a90 9 API calls 9859->9860 9861 38d3cf 9860->9861 9862 385810 8 API calls 9861->9862 9863 38d3db 9862->9863 9864 364460 8 API calls 9863->9864 9865 38d3fd 9864->9865 9866 384a90 9 API calls 9865->9866 9867 38d42a 9866->9867 9868 385810 8 API calls 9867->9868 9869 38d439 9868->9869 9870 364460 8 API calls 9869->9870 9871 38d46e 9870->9871 10160 384c30 9871->10160 9875 38d4e7 9876 384a90 9 API calls 9875->9876 9877 38d4f3 9876->9877 9878 385810 8 API calls 9877->9878 9879 38d502 9878->9879 9880 364460 8 API calls 9879->9880 9881 38d523 9880->9881 9882 384a90 9 API calls 9881->9882 9883 38d56f 9882->9883 9884 385810 8 API calls 9883->9884 9885 38d57e 9884->9885 10170 388ba0 9885->10170 9887 38d5c0 10196 366660 9887->10196 9889 38d5dd 10199 361890 9889->10199 9891 38d622 10203 363a00 9891->10203 9893 38d666 9893->9333 9895 365fb1 9894->9895 10257 3640b0 lstrlen 9895->10257 9897 365fce 9897->9352 9899 366590 WaitForSingleObject 9898->9899 9900 37d07c 9899->9900 9901 382780 ExitProcess 9900->9901 9902 37d0b9 9901->9902 9904 382500 9903->9904 9905 385860 lstrlen 9904->9905 9906 382589 9905->9906 9907 365730 2 API calls 9906->9907 9908 38259a 9906->9908 9909 38260b 9907->9909 9908->9378 9910 383840 2 API calls 9909->9910 9911 382665 9910->9911 10258 38e880 9911->10258 9913 38268c 9913->9378 9915 363dc0 GetSystemTimeAsFileTime 9914->9915 9916 373f0c 9915->9916 9917 363dc0 GetSystemTimeAsFileTime 9916->9917 9918 373feb 9916->9918 9919 373f61 9917->9919 9918->9371 9919->9918 9920 373fbd Sleep 9919->9920 9921 363dc0 GetSystemTimeAsFileTime 9920->9921 9921->9919 9923 378243 OpenSCManagerA 9922->9923 9924 378218 9922->9924 9925 378293 CreateServiceA 9923->9925 9932 3784af 9923->9932 9924->9923 9926 3782e0 ChangeServiceConfig2A StartServiceA CloseServiceHandle 9925->9926 9927 37835b OpenServiceA 9925->9927 9930 37841f CloseServiceHandle 9926->9930 9929 3783a5 StartServiceA 9927->9929 9927->9930 9933 378407 CloseServiceHandle 9929->9933 9934 3783ef 9929->9934 9930->9932 9932->9399 9933->9930 9934->9933 9936 377163 9935->9936 9937 365730 2 API calls 9936->9937 9938 3771fd RegOpenKeyA 9937->9938 9939 37723a 9938->9939 9940 383840 2 API calls 9939->9940 9943 377263 9940->9943 9941 3772f0 RegCloseKey 9942 37731c 9941->9942 9942->9408 9943->9941 10275 3640b0 lstrlen 9943->10275 9945 3772cc RegSetValueExA 9945->9941 9947 3665cc 9946->9947 9947->9401 9950 3835ef 9948->9950 9949 38371c CreateFileA 9951 38376a 9949->9951 9952 38377b 9949->9952 9950->9949 9951->9430 9953 366460 2 API calls 9952->9953 9954 3837ac 9953->9954 9954->9430 9956 38c097 9955->9956 9957 38c13a 9956->9957 9958 387040 8 API calls 9956->9958 9959 365730 2 API calls 9957->9959 9958->9957 9960 38c16b 9959->9960 9961 3835c0 3 API calls 9960->9961 9962 38c181 9961->9962 9963 383840 2 API calls 9962->9963 9964 38c195 9963->9964 9965 38c1aa Sleep 9964->9965 9975 38c261 9964->9975 9966 365730 2 API calls 9965->9966 9969 38c1e5 9966->9969 9968 38c2c1 10280 38e790 CloseHandle 9968->10280 9970 3835c0 3 API calls 9969->9970 9972 38c245 9970->9972 9974 383840 2 API calls 9972->9974 9973 371f93 9973->9435 9974->9975 9975->9973 10276 365230 9975->10276 9976->9440 9977->9448 9979 376f14 9978->9979 9980 376f43 GetProcessHeap RtlAllocateHeap 9978->9980 9979->9980 9980->9596 9983 38c652 AllocateAndInitializeSid 9981->9983 9984 38c724 CheckTokenMembership 9983->9984 9987 372591 9983->9987 9985 38c77a FreeSid 9984->9985 9986 38c741 9984->9986 9985->9987 9986->9985 9988 37d0d0 9987->9988 9989 37d0f1 9988->9989 9990 365730 2 API calls 9989->9990 9991 37d179 GetProcAddress 9990->9991 9992 383840 2 API calls 9991->9992 9995 37d1c9 9992->9995 9993 3725b3 9993->9616 9996 378090 GetWindowsDirectoryA 9993->9996 9994 37d26b GetCurrentProcess 9994->9993 9995->9993 9995->9994 9997 3780d8 9996->9997 9998 365730 2 API calls 9997->9998 10003 37818b 9997->10003 9999 378133 9998->9999 10000 383840 2 API calls 9999->10000 10001 37816b 10000->10001 10029 3640b0 lstrlen 10001->10029 10003->9623 10030 37cbc0 10004->10030 10008 38306d 10007->10008 10009 366590 WaitForSingleObject 10008->10009 10010 38318d 10009->10010 10011 383253 CreateFileA 10010->10011 10012 383205 10010->10012 10014 38329c 10011->10014 10062 365070 ReleaseMutex 10012->10062 10016 3832b4 10014->10016 10019 383311 10014->10019 10017 365070 ReleaseMutex 10016->10017 10018 3832d3 10017->10018 10018->9631 10020 38341f WriteFile 10019->10020 10020->10019 10021 383493 CloseHandle 10020->10021 10023 38350c 10021->10023 10024 365070 ReleaseMutex 10023->10024 10025 383532 10024->10025 10025->9631 10026->9662 10027->9665 10028->9688 10029->10003 10031 37cbe0 10030->10031 10036 3640b0 lstrlen 10031->10036 10033 37cc38 10037 373500 10033->10037 10035 36b999 10035->9624 10036->10033 10038 373535 10037->10038 10041 376fe0 10038->10041 10040 373553 10040->10035 10042 376ffe 10041->10042 10044 37701e 10042->10044 10046 37cb30 10042->10046 10044->10040 10045 377053 10045->10040 10047 37cb4d 10046->10047 10048 37cb74 10047->10048 10050 390850 10047->10050 10048->10045 10051 390863 10050->10051 10052 390a76 10051->10052 10053 390976 10051->10053 10058 390a4e 10051->10058 10059 38fad0 10052->10059 10055 376f00 2 API calls 10053->10055 10056 390994 10055->10056 10057 37c520 2 API calls 10056->10057 10057->10058 10058->10048 10060 38fae4 GetProcessHeap RtlReAllocateHeap 10059->10060 10061 38fb06 GetProcessHeap HeapAlloc 10059->10061 10060->10058 10061->10058 10063 3650a2 10062->10063 10063->9631 10064->9711 10093 382300 10065->10093 10068 38a81d ReadFile 10071 38a85f 10068->10071 10072 38a884 CloseHandle 10068->10072 10070 38aafe 10070->9719 10071->10072 10097 383570 10072->10097 10074 38a8ab GetTickCount 10099 38c870 10074->10099 10076 38a8c5 10103 3640b0 lstrlen 10076->10103 10078 38a8d5 10079 365730 2 API calls 10078->10079 10080 38a964 10079->10080 10081 383840 2 API calls 10080->10081 10082 38a994 10081->10082 10083 38aa30 CreateFileA 10082->10083 10084 365730 2 API calls 10082->10084 10083->10070 10087 38aaaf WriteFile CloseHandle 10083->10087 10086 38a9c8 10084->10086 10104 3640b0 lstrlen 10086->10104 10087->10070 10089 38aa0b 10105 36bba0 wvsprintfA 10089->10105 10091 38aa16 10092 383840 2 API calls 10091->10092 10092->10083 10094 390bf0 10093->10094 10095 376f00 2 API calls 10094->10095 10096 38a7c2 CreateFileA 10095->10096 10096->10068 10096->10070 10098 383593 10097->10098 10098->10074 10100 38c884 10099->10100 10106 3640b0 lstrlen 10100->10106 10102 38c8c2 10102->10076 10103->10078 10104->10089 10105->10091 10106->10102 10107->9725 10109 36ad43 10108->10109 10109->9740 10110->9744 10111->9754 10112->9782 10114 361890 8 API calls 10113->10114 10115 36447b 10114->10115 10115->9815 10117 38dbe3 10116->10117 10118 365730 2 API calls 10117->10118 10119 38dc8b 10118->10119 10120 383840 2 API calls 10119->10120 10121 38dcbc GetProcessHeap 10120->10121 10123 38dd5f 10121->10123 10124 38dd41 10121->10124 10125 365730 2 API calls 10123->10125 10124->9817 10126 38dd86 LoadLibraryA 10125->10126 10128 383840 2 API calls 10126->10128 10129 38ddd8 10128->10129 10130 38dde9 10129->10130 10131 365730 2 API calls 10129->10131 10130->9817 10132 38de42 GetProcAddress 10131->10132 10133 38de75 10132->10133 10134 383840 2 API calls 10133->10134 10135 38de87 10134->10135 10136 38deab FreeLibrary 10135->10136 10137 38ded7 HeapAlloc 10135->10137 10136->9817 10138 38df2b FreeLibrary 10137->10138 10139 38df52 10137->10139 10138->9817 10140 38e06a 10139->10140 10141 38dfa6 HeapFree HeapAlloc 10139->10141 10144 365730 2 API calls 10140->10144 10151 38e294 10140->10151 10141->10140 10142 38e027 FreeLibrary 10141->10142 10142->9817 10143 38e637 HeapFree FreeLibrary 10143->9817 10145 38e0c0 10144->10145 10146 383840 2 API calls 10145->10146 10147 38e0e8 10146->10147 10148 365730 2 API calls 10147->10148 10147->10151 10149 38e2e0 10148->10149 10150 383840 2 API calls 10149->10150 10150->10151 10151->10143 10152->9819 10210 3675a0 10153->10210 10156 385810 10157 385830 10156->10157 10158 361890 8 API calls 10157->10158 10159 38583e 10158->10159 10159->9823 10161 384c55 10160->10161 10162 365730 2 API calls 10161->10162 10163 384cb8 10162->10163 10164 383840 2 API calls 10163->10164 10165 384ce3 10164->10165 10166 37ccf0 10165->10166 10167 37cd1f 10166->10167 10217 3640b0 lstrlen 10167->10217 10169 37cd6e 10169->9875 10171 365730 2 API calls 10170->10171 10172 388c2e 10171->10172 10173 365730 2 API calls 10172->10173 10174 388c48 10173->10174 10175 365730 2 API calls 10174->10175 10176 388ca0 10175->10176 10177 383840 2 API calls 10176->10177 10178 388cc2 10177->10178 10179 365730 2 API calls 10178->10179 10180 388cfe 10179->10180 10181 383840 2 API calls 10180->10181 10182 388d7f 10181->10182 10183 383840 2 API calls 10182->10183 10185 388dba 10183->10185 10184 3891c9 10190 38969c 10184->10190 10191 365f40 8 API calls 10184->10191 10194 3895b0 10184->10194 10195 3838a0 9 API calls 10184->10195 10185->10184 10189 3838a0 9 API calls 10185->10189 10218 365f40 10185->10218 10186 383840 2 API calls 10188 389705 10186->10188 10188->9887 10189->10185 10190->10186 10191->10184 10193 365f40 8 API calls 10193->10194 10194->10190 10194->10193 10221 3838a0 10194->10221 10195->10184 10197 376fe0 8 API calls 10196->10197 10198 366667 10197->10198 10198->9889 10200 3618b6 10199->10200 10201 376fe0 8 API calls 10200->10201 10202 3618c1 10201->10202 10202->9891 10232 377330 10203->10232 10205 363a17 10206 382300 2 API calls 10205->10206 10207 363a58 10206->10207 10208 361890 8 API calls 10207->10208 10209 363af6 10207->10209 10208->10209 10209->9893 10211 3675ac 10210->10211 10216 3640b0 lstrlen 10211->10216 10213 3675f8 10214 373500 8 API calls 10213->10214 10215 367604 10214->10215 10215->10156 10216->10213 10217->10169 10227 38f640 10218->10227 10220 365f4e 10220->10185 10222 38c550 10221->10222 10231 3640b0 lstrlen 10222->10231 10224 38c5e0 10225 361890 8 API calls 10224->10225 10226 38c5ec 10225->10226 10226->10194 10228 38f672 10227->10228 10229 376fe0 8 API calls 10228->10229 10230 38f67d 10229->10230 10230->10220 10231->10224 10237 362cc0 10232->10237 10234 3773ac 10234->10205 10236 377342 10236->10234 10241 387040 10236->10241 10238 362d1d 10237->10238 10239 362cd3 10237->10239 10238->10236 10240 366660 8 API calls 10239->10240 10240->10238 10242 38708f 10241->10242 10243 366590 WaitForSingleObject 10242->10243 10244 3871b9 10243->10244 10245 365730 2 API calls 10244->10245 10255 3872af 10244->10255 10246 3871ea GetProcAddress 10245->10246 10249 365730 2 API calls 10246->10249 10247 365070 ReleaseMutex 10250 387485 10247->10250 10251 387246 10249->10251 10250->10236 10252 383840 2 API calls 10251->10252 10253 387260 GetProcAddress 10252->10253 10254 38728b 10253->10254 10256 383840 2 API calls 10254->10256 10255->10247 10256->10255 10257->9897 10259 38e88d 10258->10259 10260 366660 8 API calls 10259->10260 10261 38e91b 10260->10261 10262 366590 WaitForSingleObject 10261->10262 10263 38e940 CreateFileA 10262->10263 10264 38e97c 10263->10264 10269 38e996 10263->10269 10266 365070 ReleaseMutex 10264->10266 10265 38e9b0 ReadFile 10265->10269 10267 38eb8f 10266->10267 10267->9913 10268 390850 8 API calls 10268->10269 10269->10265 10269->10268 10270 38eb56 CloseHandle 10269->10270 10271 361890 8 API calls 10269->10271 10272 38eac6 CloseHandle 10269->10272 10270->10264 10271->10269 10273 365070 ReleaseMutex 10272->10273 10274 38eaf9 10273->10274 10274->9913 10275->9945 10277 365251 10276->10277 10278 365297 10277->10278 10279 36534e WriteFile 10277->10279 10278->9968 10279->9968 10281 38e7bf 10280->10281 10284 361fc0 10281->10284 10285 365f20 10284->10285 10286 365f30 10285->10286 10287 37c520 2 API calls 10285->10287 10286->9973 10287->10286 10288->9491 10289->9494 10290->9496 10291->9508 10292->9521 10293->9577 10294->9585 10507 363c40 10510 365f00 10507->10510 10513 382320 10510->10513 10512 363c4f 10514 38232e 10513->10514 10517 3640b0 lstrlen 10514->10517 10516 38233a 10516->10512 10517->10516 11435 3619c0 11436 3619ed 11435->11436 11437 365730 2 API calls 11436->11437 11438 361a44 11437->11438 11489 36bba0 wvsprintfA 11438->11489 11440 361a77 11441 383840 2 API calls 11440->11441 11442 361a89 11441->11442 11443 3838a0 9 API calls 11442->11443 11444 361ac4 11443->11444 11445 3838a0 9 API calls 11444->11445 11446 361b37 11445->11446 11447 365f40 8 API calls 11446->11447 11448 361b4b 11447->11448 11449 365f40 8 API calls 11448->11449 11450 361b97 11449->11450 11490 38b7f0 11450->11490 11452 361baa 11514 38a050 OpenSCManagerA 11452->11514 11454 361bd4 11455 388ba0 9 API calls 11454->11455 11456 361c03 11455->11456 11538 3736f0 11456->11538 11458 361c16 11459 365730 2 API calls 11458->11459 11460 361c4f 11459->11460 11461 36b980 9 API calls 11460->11461 11462 361c71 11461->11462 11463 383840 2 API calls 11462->11463 11464 361c83 11463->11464 11465 375b60 8 API calls 11464->11465 11466 361ccd 11465->11466 11467 385810 8 API calls 11466->11467 11468 361cd6 11467->11468 11469 365730 2 API calls 11468->11469 11470 361cfa 11469->11470 11471 384a90 9 API calls 11470->11471 11472 361d5b 11471->11472 11473 385810 8 API calls 11472->11473 11474 361d67 11473->11474 11475 383840 2 API calls 11474->11475 11476 361d99 11475->11476 11477 361890 8 API calls 11476->11477 11478 361df7 11477->11478 11479 3736f0 8 API calls 11478->11479 11480 361e3b 11479->11480 11481 3897d0 4 API calls 11480->11481 11482 361e7a 11481->11482 11483 365730 2 API calls 11482->11483 11484 361e90 11483->11484 11485 3801b0 21 API calls 11484->11485 11486 361ebb 11485->11486 11487 383840 2 API calls 11486->11487 11488 361f03 11487->11488 11489->11440 11491 38b82f CreateToolhelp32Snapshot 11490->11491 11493 38b92c 11491->11493 11494 38ba05 Process32First 11491->11494 11496 365730 2 API calls 11493->11496 11511 38babb 11494->11511 11497 38b953 11496->11497 11499 3838a0 9 API calls 11497->11499 11498 38be7e CloseHandle 11498->11452 11501 38b977 11499->11501 11504 383840 2 API calls 11501->11504 11502 38bc51 CreateToolhelp32Snapshot 11502->11511 11503 365730 GetProcessHeap RtlAllocateHeap 11503->11511 11506 38b9e6 11504->11506 11505 38bcde Module32First 11505->11511 11506->11452 11507 3838a0 9 API calls 11507->11511 11509 383840 GetProcessHeap RtlFreeHeap 11509->11511 11510 365f40 8 API calls 11512 38bdfd CloseHandle Process32Next 11510->11512 11511->11498 11511->11502 11511->11503 11511->11505 11511->11507 11511->11509 11511->11510 11513 38be76 11511->11513 11542 3640b0 lstrlen 11511->11542 11543 36bba0 wvsprintfA 11511->11543 11512->11511 11513->11498 11515 38a480 11514->11515 11516 38a141 EnumServicesStatusA GetLastError 11514->11516 11517 365730 2 API calls 11515->11517 11518 38a196 11516->11518 11519 38a496 11517->11519 11521 376f00 2 API calls 11518->11521 11523 38a464 11518->11523 11520 3838a0 9 API calls 11519->11520 11522 38a4b0 11520->11522 11524 38a1f4 11521->11524 11525 383840 2 API calls 11522->11525 11523->11454 11526 38a22a EnumServicesStatusA 11524->11526 11527 38a441 CloseServiceHandle 11524->11527 11528 38a4df 11525->11528 11536 38a26e 11526->11536 11527->11523 11528->11454 11529 38a41e 11530 37c520 2 API calls 11529->11530 11531 38a434 11530->11531 11531->11527 11532 3640b0 lstrlen 11532->11536 11533 365730 2 API calls 11533->11536 11535 383840 2 API calls 11535->11536 11536->11529 11536->11532 11536->11533 11536->11535 11537 3838a0 9 API calls 11536->11537 11544 36bba0 wvsprintfA 11536->11544 11537->11536 11540 37370b 11538->11540 11539 366660 8 API calls 11541 37386c 11539->11541 11540->11539 11541->11458 11542->11511 11543->11511 11544->11536 11545 363fc0 11546 36b9e0 8 API calls 11545->11546 11547 363fe7 11546->11547 10641 37d2c0 10645 37d2f0 10641->10645 10642 37d33d 10643 3640b0 lstrlen 10643->10645 10644 36bba0 wvsprintfA 10644->10645 10645->10642 10645->10643 10645->10644 10654 383ac0 10657 385f40 10654->10657 10660 385070 10657->10660 10659 383acf 10663 3640b0 lstrlen 10660->10663 10662 385080 10662->10659 10663->10662 11556 38edc0 11557 364e20 8 API calls 11556->11557 11558 38eddf 11557->11558 11559 385810 8 API calls 11558->11559 11560 38edf4 11559->11560

                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                              Function 003700C8 Relevance: 56.1, APIs: 29, Strings: 2, Instructions: 1861sleepfilesynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 003703F9
                                                                                                                                                                                                              • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00370427
                                                                                                                                                                                                              • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 0037046A
                                                                                                                                                                                                              • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00370496
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00370587
                                                                                                                                                                                                              • GetCommandLineA.KERNEL32 ref: 0037063E
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 00370CDF
                                                                                                                                                                                                                • Part of subcall function 0036B150: CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0036B1D7
                                                                                                                                                                                                              • Sleep.KERNEL32(00000D05), ref: 00370BD2
                                                                                                                                                                                                                • Part of subcall function 0036B150: GetFileTime.KERNEL32(00000000,?,?,?), ref: 0036B256
                                                                                                                                                                                                                • Part of subcall function 0036B150: CloseHandle.KERNEL32(00000000), ref: 0036B26B
                                                                                                                                                                                                              • Sleep.KERNEL32(000007D0), ref: 00370DD1
                                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00370EA8
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00370ECC
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000000), ref: 00370EFE
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000002), ref: 003710B9
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 003710E7
                                                                                                                                                                                                              • GetCommandLineA.KERNEL32(00000000), ref: 0037120E
                                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 0037132B
                                                                                                                                                                                                                • Part of subcall function 00372290: lstrlen.KERNEL32(?), ref: 003722A2
                                                                                                                                                                                                                • Part of subcall function 00372290: CharLowerBuffA.USER32(?,00000000), ref: 003722BE
                                                                                                                                                                                                              • MessageBoxA.USER32(00000000,00000004,00000005,00000000), ref: 00371663
                                                                                                                                                                                                                • Part of subcall function 003672E0: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00367452
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00371AC5
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00371AE1
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000000), ref: 00371B07
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000002), ref: 00371B43
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 00371CAC
                                                                                                                                                                                                              • WSAStartup.WS2_32(00000202,?), ref: 00371947
                                                                                                                                                                                                                • Part of subcall function 00382780: ExitProcess.KERNEL32 ref: 003827B0
                                                                                                                                                                                                              • Sleep.KERNEL32(000007D0), ref: 00371DFC
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(003A6680,00000080), ref: 00371E27
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,003A6680,00000000), ref: 00371E45
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(003A6680,00000002), ref: 00371E7B
                                                                                                                                                                                                                • Part of subcall function 0038C080: Sleep.KERNEL32(000003E8), ref: 0038C1C3
                                                                                                                                                                                                                • Part of subcall function 0036BBA0: wvsprintfA.USER32(00000000,?,003809D1), ref: 0036BBEB
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0002FE10,00000000,00000000,00000000), ref: 00372194
                                                                                                                                                                                                              • Sleep.KERNEL32(0000C350), ref: 00372210
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$AttributesSleep$Create$CopyMutex$CloseCommandHandleLineModuleName$BuffCharCountEnvironmentExitLowerMessageProcessStartupThreadTickTimeVariablelstrlenwvsprintf
                                                                                                                                                                                                              • String ID: C:\Users\user$x7;C
                                                                                                                                                                                                              • API String ID: 1500488346-3147083300
                                                                                                                                                                                                              • Opcode ID: b5e2e2979dbb7beb24ba365ab71441c79239ebc73a4ecaa6162e691b2e9f4ea1
                                                                                                                                                                                                              • Instruction ID: c701f8f9de7c62fc00a0b8effdee3f7868e1c0609e66772defc6698373696cb9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b5e2e2979dbb7beb24ba365ab71441c79239ebc73a4ecaa6162e691b2e9f4ea1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7203FF76A10200CFD71BDF68ED92A6A77BDFB96300F04812AE406CB2B5E7799941CF51
                                                                                                                                                                                                              Function 00372490 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 918fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 438 372490-3724da call 38ee20 441 3724e6-3724f9 438->441 442 3724dc 438->442 443 372505-3725ca GetVersionExA call 38c640 call 37d0d0 441->443 444 3724fb 441->444 442->441 449 3725d0-3725e0 443->449 450 372758-37277f 443->450 444->443 451 372616 449->451 452 3725e2-3725fb 449->452 453 372789-3727c9 call 365730 call 36b980 450->453 456 372620-372640 call 378090 451->456 454 3725fd-372608 452->454 455 37260a-372614 452->455 467 3727e3-37281d call 383840 call 38e820 call 387610 call 383060 453->467 468 3727cb-3727db 453->468 454->456 455->456 462 372656-3726a8 456->462 463 372642-37264f 456->463 465 3726b4-37270c call 3850d0 CreateDirectoryA call 365730 462->465 466 3726aa 462->466 463->462 476 372711-372756 call 3850d0 call 383840 465->476 466->465 486 372823-3728b7 DeleteFileA RemoveDirectoryA 467->486 487 3728bc-37297f call 378090 call 3850d0 CreateDirectoryA call 38f8f0 467->487 468->467 469 3727dd 468->469 469->467 476->453 486->487 494 372981-3729a5 487->494 495 3729ab-372ad9 call 385860 CreateDirectoryA call 365730 call 3850d0 call 365730 call 383840 call 36b980 call 383840 call 38e820 call 387610 call 383060 487->495 494->495 516 373405-37340a 495->516 517 372adf-372af0 495->517 520 37340d-37341f 516->520 518 372b54-372b99 call 365730 517->518 519 372af2-372b4f call 365730 call 36bba0 call 383840 517->519 529 372b9b-372ba8 518->529 530 372baa-372bc6 518->530 544 372c24-372c5e 519->544 523 373421 520->523 524 37342b-37346c call 385860 SetFileAttributesA 520->524 523->524 532 3734b3-3734de call 389e60 524->532 533 37346e-37347d 524->533 534 372bcc-372c1e call 36bba0 call 383840 529->534 530->534 546 3734e0 532->546 547 3734ea-3734f5 call 390840 532->547 536 373496-3734ad 533->536 537 37347f-373494 533->537 534->544 536->532 537->532 549 372c60 544->549 550 372c6a-372cfe call 3850d0 CreateDirectoryA call 38f8f0 544->550 546->547 549->550 557 372d24-372d3e 550->557 558 372d00-372d16 550->558 559 372d45-372e4e call 385860 CreateDirectoryA call 365730 call 3850d0 call 365730 call 383840 call 36b980 call 383840 557->559 558->559 560 372d18-372d22 558->560 575 372e50-372e68 559->575 576 372e6f-372e94 call 38e820 call 387610 call 383060 559->576 560->559 575->576 583 3733ee 576->583 584 372e9a-372f08 GetTempPathA call 3640b0 576->584 585 3733f1-373403 583->585 588 373000-373015 584->588 589 372f0e 584->589 585->520 590 373017-373024 588->590 591 37302b-3730bb call 38f8f0 call 385860 CreateDirectoryA call 365730 588->591 592 372f13-372f2a 589->592 590->591 610 3730cd-37312d call 3850d0 call 365730 591->610 611 3730bd-3730c8 591->611 593 372f41-372f49 592->593 594 372f2c-372f3b 592->594 596 372f80-372fca 593->596 597 372f4b-372f5b 593->597 594->593 602 372ff6 596->602 603 372fcc-372fe8 596->603 600 372f75-372f79 597->600 601 372f5d-372f6d 597->601 600->592 606 372f7b 600->606 601->600 605 372f6f 601->605 602->588 603->602 607 372fea-372ff0 603->607 605->600 606->588 607->602 616 37312f 610->616 617 373139-3731ce call 383840 call 36b980 call 383840 call 38e820 call 387610 call 383060 610->617 611->610 616->617 630 3733c7-3733ec 617->630 631 3731d4-37324d GetTempPathA call 38f8f0 617->631 630->585 634 3732a5-3732d2 call 365730 631->634 635 37324f-373289 631->635 639 3732d4-3732e7 634->639 640 3732ee-373352 call 3850d0 call 383840 634->640 635->634 636 37328b-37329e 635->636 636->634 639->640 645 373354-37337f 640->645 646 3733a3-3733c0 640->646 647 373397-3733a1 645->647 648 373381-373395 645->648 646->630 647->630 648->630
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetVersionExA.KERNEL32(003AEAC8), ref: 00372572
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 003726EF
                                                                                                                                                                                                              • DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00372843
                                                                                                                                                                                                              • RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 0037289F
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0037293F
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003729E1
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00372CAC
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00372D6E
                                                                                                                                                                                                              • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00372EB0
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0037307B
                                                                                                                                                                                                              • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 003731FA
                                                                                                                                                                                                              • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 0037344D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                              • String ID: C:\Users\user$C:\daxjjwrfm\$Wq0O$\
                                                                                                                                                                                                              • API String ID: 1691758827-149769076
                                                                                                                                                                                                              • Opcode ID: a4c3dba0503179f5da3ec809ff52adde025eaa0de62205d024280e693be8cb7d
                                                                                                                                                                                                              • Instruction ID: dd89c378a1b4d8366f69426044dadfe87d270923949190b6d10dc6e7962612ec
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a4c3dba0503179f5da3ec809ff52adde025eaa0de62205d024280e693be8cb7d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E28225B1A00205CFD71BDF28ED82AA677BDFB56710F00812BE406CB2B5E77A9941CB51
                                                                                                                                                                                                              Function 003660A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186filesleepCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 697 3660a0-3660cd 698 3660d3-366245 call 383570 call 3640b0 Sleep call 3850d0 call 365730 call 3850d0 call 383840 697->698 699 366401-366404 697->699 712 366266-366289 FindFirstFileA 698->712 713 366247-36625f 698->713 714 3663c4-366400 call 389e60 712->714 715 36628f-3662a7 712->715 713->712 714->699 716 3662e2-3662ec 715->716 717 3662a9-3662c5 715->717 720 3662f0-36634c call 3850d0 DeleteFileA 716->720 717->716 719 3662c7-3662db 717->719 719->716 724 366363-366373 720->724 725 36634e-366361 720->725 726 366379-36638c FindNextFileA 724->726 725->726 726->720 727 366392-3663bd FindClose 726->727 727->714
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 003640B0: lstrlen.KERNEL32(?,?,00361038,?), ref: 003640DD
                                                                                                                                                                                                              • Sleep.KERNELBASE(000003E8), ref: 00366189
                                                                                                                                                                                                              • FindFirstFileA.KERNELBASE(?,?), ref: 00366274
                                                                                                                                                                                                              • DeleteFileA.KERNELBASE(?), ref: 0036632E
                                                                                                                                                                                                              • FindNextFileA.KERNELBASE(?,?), ref: 00366384
                                                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 003663AA
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FileFind$CloseDeleteFirstNextSleeplstrlen
                                                                                                                                                                                                              • String ID: xsh
                                                                                                                                                                                                              • API String ID: 3282225923-3135071692
                                                                                                                                                                                                              • Opcode ID: baec97785920ce0e83f699ee0cab5ecddd222c302950ac1f3686fb92f114ece4
                                                                                                                                                                                                              • Instruction ID: b440c16b86fff2e600dd81668c850555c3f2a32c942d35467b2a0a9b4de5975f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: baec97785920ce0e83f699ee0cab5ecddd222c302950ac1f3686fb92f114ece4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8581F2769002049FC71BDF69FD92AA677BDFB96300F14815AE5058B2B4EB718901CF91
                                                                                                                                                                                                              Function 0037C520 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 747 37c520-37c52d 748 37c543-37c565 GetProcessHeap RtlFreeHeap 747->748 749 37c52f-37c53c 747->749 750 37c567-37c576 748->750 751 37c57c-37c57d 748->751 749->748 750->751
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,N9,?,00390A4E,00000000), ref: 0037C549
                                                                                                                                                                                                              • RtlFreeHeap.NTDLL(00000000,?,00390A4E,00000000), ref: 0037C550
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$FreeProcess
                                                                                                                                                                                                              • String ID: N9
                                                                                                                                                                                                              • API String ID: 3859560861-548346202
                                                                                                                                                                                                              • Opcode ID: 0bdcfda5a92a96577431a022c01f6eb69b1da55988a4468abf92151e38319334
                                                                                                                                                                                                              • Instruction ID: cec4e0bea898af2b315ec70cc75e55148258bf87f0de7ca8f33e84cfedb97e8a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0bdcfda5a92a96577431a022c01f6eb69b1da55988a4468abf92151e38319334
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 05F065719182049FD7169F59EC9A66637FCEB06714F00440EE509C7620D779E880CB55
                                                                                                                                                                                                              Function 00383060 Relevance: 4.8, APIs: 3, Instructions: 287fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 752 383060-383093 call 37cb00 755 38309f-3830b9 752->755 756 383095 752->756 757 3830bb-3830cd 755->757 758 3830ee-38311f 755->758 756->755 757->758 759 3830cf-3830e8 757->759 760 383121-38312d 758->760 761 383144-38315f 758->761 759->758 762 38312f-383134 760->762 763 383136-38313d 760->763 764 383161-38317b 761->764 765 383182-3831af call 366590 761->765 762->761 763->761 764->765 768 3831bd-3831d9 765->768 769 3831b1-3831bb 765->769 770 3831fb-383203 768->770 771 3831db-3831f5 768->771 769->770 772 383253-38329a CreateFileA 770->772 773 383205-38323f call 365070 770->773 771->770 775 38329c-3832a9 772->775 776 3832b0-3832b2 772->776 781 38324b-383252 773->781 782 383241 773->782 775->776 778 383311-38333f 776->778 779 3832b4-3832f4 call 365070 776->779 780 383340-383350 778->780 787 383309-383310 779->787 788 3832f6-383303 779->788 785 383352-383381 780->785 786 383383-383394 780->786 782->781 789 38339e-3833b9 785->789 786->789 788->787 790 3833bb 789->790 791 3833c5-3833f7 call 381a30 789->791 790->791 794 3833f9-383406 791->794 795 38340d-38348d call 36aed0 WriteFile 791->795 794->795 795->780 798 383493-3834be 795->798 799 3834cc 798->799 800 3834c0-3834ca 798->800 801 3834d6-38350a CloseHandle 799->801 800->801 802 38350c-383521 801->802 803 383527-383546 call 365070 801->803 802->803
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0038327A
                                                                                                                                                                                                              • WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 0038344B
                                                                                                                                                                                                              • CloseHandle.KERNELBASE(?), ref: 003834DA
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1065093856-0
                                                                                                                                                                                                              • Opcode ID: cf33735b4229e4e164d585e2988553bbe8485de1f7114ca94d95a3c1a983b44c
                                                                                                                                                                                                              • Instruction ID: 576067a3a8c262d9f1ccc4aeb2019d4ad050c2c442995ae95b4f237092430ec1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cf33735b4229e4e164d585e2988553bbe8485de1f7114ca94d95a3c1a983b44c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A8C1CE76A206108BC307EF68FC9166A73EDF796721F14811BE806CB375E7759941CB84
                                                                                                                                                                                                              Function 0038C640 Relevance: 4.6, APIs: 3, Instructions: 120memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 806 38c640-38c650 807 38c652-38c65e 806->807 808 38c664-38c6b9 806->808 807->808 809 38c6ea-38c71e AllocateAndInitializeSid 808->809 810 38c6bb-38c6d7 808->810 813 38c7f1-38c819 809->813 814 38c724-38c73f CheckTokenMembership 809->814 811 38c6d9-38c6de 810->811 812 38c6e0 810->812 811->809 812->809 815 38c77a-38c7ad FreeSid 814->815 816 38c741-38c76e 814->816 815->813 817 38c7af-38c7c3 815->817 816->815 818 38c770 816->818 819 38c7d9-38c7eb 817->819 820 38c7c5-38c7d7 817->820 818->815 819->813 820->813
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • AllocateAndInitializeSid.ADVAPI32(00372591,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00372591), ref: 0038C701
                                                                                                                                                                                                              • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 0038C737
                                                                                                                                                                                                              • FreeSid.ADVAPI32(?), ref: 0038C798
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3429775523-0
                                                                                                                                                                                                              • Opcode ID: 4b58aaceb8e03f3d2f98019dc76eecfa42c6ebfa2ed02e40377a19fcfb7e53d4
                                                                                                                                                                                                              • Instruction ID: ac1d306f297dd869521ab9a6c95bf97b3ef3db3496423eed4a112cf275bc02c8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4b58aaceb8e03f3d2f98019dc76eecfa42c6ebfa2ed02e40377a19fcfb7e53d4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3941BC3AA14244DFD70ADF68FD96A6A7BBDFB59300F14819BE502C7261E732A940CF11
                                                                                                                                                                                                              Function 0037B744 Relevance: .2, Instructions: 249COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 848 37b744-37b7d1 849 37b7f4-37b832 848->849 850 37b7d3-37b7e8 848->850 851 37b834-37b846 849->851 852 37b848-37b861 849->852 850->849 853 37b7ea 850->853 854 37b867-37b91e 851->854 852->854 853->849 855 37b920 854->855 856 37b92a-37b967 854->856 855->856 857 37b97f-37ba21 856->857 858 37b969-37b979 856->858 859 37ba23-37ba3c 857->859 860 37ba42-37bab6 857->860 858->857 859->860 861 37bac4-37bace 860->861 862 37bab8-37bac2 860->862 863 37bad4-37bb88 861->863 862->863 864 37bb8a-37bba2 863->864 865 37bba8-37bbfb 863->865 864->865 866 37bc07-37bc29 865->866 867 37bbfd 865->867 868 37bc35-37bc3d 866->868 869 37bc2b 866->869 867->866 873 37bc43 call 3700c8 868->873 874 37bc43 call 370ae8 868->874 869->868 870 37bc45-37bc63 call 38e6b0 873->870 874->870
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 822355a58be36f77c90a0eb18d5124c0b3500a77cea8537c00434e0f990d4af1
                                                                                                                                                                                                              • Instruction ID: fd0ec06597504b0807be3774043ebd9ba7871810ad5c702e50b0c769bd39ba20
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 822355a58be36f77c90a0eb18d5124c0b3500a77cea8537c00434e0f990d4af1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 16C176366252418BC34BCF29FE9252577FDFB9A721B10912FE402CB2B0E77A9941CB45
                                                                                                                                                                                                              Function 0038A760 Relevance: 10.8, APIs: 7, Instructions: 266fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 649 38a760-38a817 call 382300 CreateFileA 652 38a81d-38a834 649->652 653 38ab6e-38abad call 389e40 649->653 655 38a840-38a85d ReadFile 652->655 656 38a836 652->656 658 38a85f-38a87e 655->658 659 38a884-38a8f1 CloseHandle call 383570 GetTickCount call 38c870 call 3640b0 655->659 656->655 658->659 666 38a90d-38a92a 659->666 667 38a8f3-38a90b 659->667 668 38a937-38a9a6 call 3850d0 call 365730 call 3850d0 call 383840 666->668 669 38a92c-38a932 666->669 667->668 678 38a9ac-38a9f7 call 365730 668->678 679 38aa3d-38aa59 668->679 669->668 688 38a9f9 678->688 689 38aa03-38aa33 call 3640b0 call 36bba0 call 383840 678->689 681 38aa5b 679->681 682 38aa65-38aaa9 CreateFileA 679->682 681->682 684 38ab4e-38ab68 682->684 685 38aaaf-38aafc WriteFile CloseHandle 682->685 684->653 686 38ab1c-38ab49 685->686 687 38aafe-38ab0e 685->687 686->684 687->684 690 38ab10-38ab1a 687->690 688->689 689->679 690->684
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,000000FF), ref: 0038A7F1
                                                                                                                                                                                                              • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,000000FF), ref: 0038A849
                                                                                                                                                                                                              • CloseHandle.KERNELBASE(00000000,?,?,000000FF), ref: 0038A885
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 0038A8B8
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0038AA75
                                                                                                                                                                                                              • WriteFile.KERNELBASE(00000000,000000FF,?,?,00000000), ref: 0038AAC8
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0038AAE2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3478262135-0
                                                                                                                                                                                                              • Opcode ID: a126c1cfb3382584c7562ff15d8cd0833ff61f576336617639d72772b1b5210e
                                                                                                                                                                                                              • Instruction ID: c3a28f945f0f045c22cc0edb6effa13e29d485c3f8910ee19860d61e12869ff9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a126c1cfb3382584c7562ff15d8cd0833ff61f576336617639d72772b1b5210e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 95A101756016109FE307DF28ED82B7A33BDEB8A711F04401BE805CB3A4E7799981CB96
                                                                                                                                                                                                              Function 003838B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116processCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 728 3838b0-3838d2 729 3838d4-3838e1 728->729 730 3838e7-3838ff 728->730 729->730 731 38392b-383937 730->731 732 383901-383926 730->732 733 383939-383961 731->733 734 383976-383992 call 389e60 731->734 732->731 733->734 735 383963-383970 733->735 738 3839a8-383a18 call 389e60 CreateProcessA 734->738 739 383994-3839a1 734->739 735->734 742 383a1a-383a24 738->742 743 383a64-383a79 738->743 739->738 744 383a3a-383a62 CloseHandle * 2 742->744 745 383a26-383a33 742->745 746 383a7f-383a94 743->746 744->746 745->744
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000008,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00383A0F
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00383A3E
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00383A52
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                              • String ID: D
                                                                                                                                                                                                              • API String ID: 2922976086-2746444292
                                                                                                                                                                                                              • Opcode ID: 66f64cd663b83afa75fe3f315b5e5c5e09b05c334676a32ebf24166ecb77916e
                                                                                                                                                                                                              • Instruction ID: a3182b0cf54eca5a13f6e2ca99565c2eb7c437920d79da6eaec689cfd63e4102
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 66f64cd663b83afa75fe3f315b5e5c5e09b05c334676a32ebf24166ecb77916e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E141E1719013149FDB0ADF58ED92B6937BDFB59B01F00801FE506DB2A4D3B6A944CB85
                                                                                                                                                                                                              Function 00376F00 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 821 376f00-376f12 822 376f14-376f2e 821->822 823 376f43-376f67 GetProcessHeap RtlAllocateHeap 821->823 822->823 824 376f30-376f3c 822->824 824->823
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,00379195,021A1850,?,?,?,?,?,00386DD6), ref: 00376F59
                                                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,00379195,021A1850,?,?,?,?,?,00386DD6), ref: 00376F60
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$AllocateProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1357844191-0
                                                                                                                                                                                                              • Opcode ID: a3f67ff6c9ba618495027bf11a9b310bb39f3dbce8b018d93a3d5a4617d230e1
                                                                                                                                                                                                              • Instruction ID: 984033b22d3fa75d6408c598e52d9a64186a6ec008696087837e5e0ded43c613
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a3f67ff6c9ba618495027bf11a9b310bb39f3dbce8b018d93a3d5a4617d230e1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2DF0EC31514B008BCB0ADB69FD9AB2637EDFB56741F044015F506CB670E6B69400C7D8
                                                                                                                                                                                                              Function 00372290 Relevance: 3.0, APIs: 2, Instructions: 21stringCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 825 372290-3722df lstrlen CharLowerBuffA
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 003722A2
                                                                                                                                                                                                              • CharLowerBuffA.USER32(?,00000000), ref: 003722BE
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 794975171-0
                                                                                                                                                                                                              • Opcode ID: 72335287d71dc4b9f457fb1932e0392ce546bd5dab9398197f9ed4473836fa89
                                                                                                                                                                                                              • Instruction ID: 9bc8f926e9f098101d90408f4e2da28535239c93ca17f14634aef0d21751a3e6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 72335287d71dc4b9f457fb1932e0392ce546bd5dab9398197f9ed4473836fa89
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E5E0DF721105209B83029F98FC4D0F533ECFB06B02F080056E54AC21B0EB2C18418390
                                                                                                                                                                                                              Function 00386D32 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 826 386d32-386d89 call 362ef0 call 3620e0 832 386d8b-386da8 826->832 833 386db5-386dd1 call 385400 call 378660 826->833 832->833 834 386daa-386daf 832->834 838 386dd6-386dfb 833->838 834->833 839 386dfd-386e0a 838->839 840 386e10-386e24 call 36ad30 838->840 839->840 843 386e43-386e44 ExitProcess 840->843 844 386e26-386e3d 840->844 844->843
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 003620E0: GetStdHandle.KERNEL32(000000F6,?,?,00386D5F), ref: 00362113
                                                                                                                                                                                                                • Part of subcall function 003620E0: GetStdHandle.KERNEL32(000000F5,?,?,00386D5F), ref: 00362145
                                                                                                                                                                                                                • Part of subcall function 003620E0: GetStdHandle.KERNEL32(000000F4,?,?,00386D5F), ref: 00362198
                                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 00386E44
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Handle$ExitProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 256993070-0
                                                                                                                                                                                                              • Opcode ID: acedba22cae698224e0f9b84c58c5268157da7399c4f7653fd47b1ace864aa93
                                                                                                                                                                                                              • Instruction ID: c8c68a07d78819d8b7c6daeed8cc2d4b719a71ca051854389a7fea115844cd14
                                                                                                                                                                                                              • Opcode Fuzzy Hash: acedba22cae698224e0f9b84c58c5268157da7399c4f7653fd47b1ace864aa93
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D721BE26611A108BC707EF74FC9357933AEE756361B048516E811CFB69FB798541C741
                                                                                                                                                                                                              Function 00382780 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 845 382780-3827b0 call 36ad30 ExitProcess
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ExitProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 621844428-0
                                                                                                                                                                                                              • Opcode ID: a855f3585cb902cf3fa6c7182a11f158660323ae65d372147c7390203fc4dd75
                                                                                                                                                                                                              • Instruction ID: 9acade4d406d9b2ae7818c1de21a9fb09ea4cb3eec77fa2e150504761f9e15cc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a855f3585cb902cf3fa6c7182a11f158660323ae65d372147c7390203fc4dd75
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 05D052704203088AC702BF20FE86A22B7ACFB42700F00581AE8008F224F378E6828BD1

                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                              Function 0038EEB0 Relevance: 33.7, APIs: 15, Strings: 4, Instructions: 444pipeprocessfileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000,00000001), ref: 0038F00B
                                                                                                                                                                                                              • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0038F086
                                                                                                                                                                                                              • CreatePipe.KERNEL32(?,00000000,0000000C,00000000), ref: 0038F0A6
                                                                                                                                                                                                              • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0038F147
                                                                                                                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 0038F2C2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0038F353
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 0038F367
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0038F37B
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0038F3A9
                                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0038F446
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0038F4D4
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0038F4E8
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,00002710), ref: 0038F56B
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 0038F586
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 0038F5A7
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                              • String ID: ;8\w$<,]8$D$^K6
                                                                                                                                                                                                              • API String ID: 1130065513-1325849568
                                                                                                                                                                                                              • Opcode ID: 3453e0f68c4d3d56c2f701d455321675f3ba02e17525027e43db7ee7219a29a4
                                                                                                                                                                                                              • Instruction ID: 1e924aaece7910ed5dc888e9d78ecb444807a08767221dbd7e5eede86a2dafd6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3453e0f68c4d3d56c2f701d455321675f3ba02e17525027e43db7ee7219a29a4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5E12EF75A10205DFC70ADF68ED86AAA77BDFB9A310F14812BE802D76B4E7359940CB50
                                                                                                                                                                                                              Function 003801B0 Relevance: 29.0, APIs: 10, Strings: 6, Instructions: 1003COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Time$FileSystem__aulldivlstrlen
                                                                                                                                                                                                              • String ID: !|/0$'~(-$/$@(l$$SbJ$*c
                                                                                                                                                                                                              • API String ID: 3360920532-3188750162
                                                                                                                                                                                                              • Opcode ID: 50832009c85d1ec1e552eaf9e05e0f57de81bb2760414b8b160bd8f38ca84b5d
                                                                                                                                                                                                              • Instruction ID: 79bfa7d4a154a39276bd0e058f0f9c322c3eb9fb3c0c76fc8f9824beceb7cf7d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 50832009c85d1ec1e552eaf9e05e0f57de81bb2760414b8b160bd8f38ca84b5d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AA920571A103008FC70BEF28EC9267A77BDFB96310F10856BE406DB2A1EB759945CB91
                                                                                                                                                                                                              Function 0038DB50 Relevance: 17.2, APIs: 11, Instructions: 662memorylibraryloaderCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000001), ref: 0038DD1A
                                                                                                                                                                                                              • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000001), ref: 0038DDBB
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0038DE59
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0038DEBE
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(0038D075,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0038DF03
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0038DF39
                                                                                                                                                                                                              • HeapFree.KERNEL32(0038D075,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0038DFDD
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(0038D075,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0038E00E
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0038E035
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FreeHeapLibrary$Alloc$AddressLoadProcProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1582890587-0
                                                                                                                                                                                                              • Opcode ID: 6ef5fa86701c46b33f077c143db81111d2cdd81f0358836897eec378e8bbe09d
                                                                                                                                                                                                              • Instruction ID: c03af649f467a6fc02429444a9bf1c14668fb7bcf82c3f3387ae10dca91daed1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6ef5fa86701c46b33f077c143db81111d2cdd81f0358836897eec378e8bbe09d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CB52EF76A103008FD30ADF29EC926AA77FCF75A321F10812BE806CB6B0E7759941CB51
                                                                                                                                                                                                              Function 0038B7F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 0038B8EC
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,00000128), ref: 0038BA96
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFirstProcess32SnapshotToolhelp32
                                                                                                                                                                                                              • String ID: 9y8
                                                                                                                                                                                                              • API String ID: 2353314856-3592070472
                                                                                                                                                                                                              • Opcode ID: 14b3eb4494bc944d8275f12f587aa1a5339f6a021b65d7fc7d51c39f3af81015
                                                                                                                                                                                                              • Instruction ID: d334749830518940b48d55a26da2a3246e5dcd93f127d5e2204554e92488833d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 14b3eb4494bc944d8275f12f587aa1a5339f6a021b65d7fc7d51c39f3af81015
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 10F12172A102018BC71BDF29ED92A7A77FDFB96710F00815BE406CB2B4E7799981CB50
                                                                                                                                                                                                              Function 00378200 Relevance: 13.7, APIs: 9, Instructions: 167serviceCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 0037826F
                                                                                                                                                                                                              • CreateServiceA.ADVAPI32(00000000,00CA05B8,00CA05B8,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 003782CA
                                                                                                                                                                                                              • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00378301
                                                                                                                                                                                                              • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00378323
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 0037833A
                                                                                                                                                                                                              • OpenServiceA.ADVAPI32(00000000,00CA05B8,00000010), ref: 0037838B
                                                                                                                                                                                                              • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 003783C2
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00378408
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00378481
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3525021261-0
                                                                                                                                                                                                              • Opcode ID: e4d75b547a08841dd70ff02c5dacb064607dc2050fe1e04184243f38402a47dc
                                                                                                                                                                                                              • Instruction ID: 5de3b27aa9c380063431ca28f46b0d9d2fe4cc9a4c8ca30209f9e2c84d49e6cf
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e4d75b547a08841dd70ff02c5dacb064607dc2050fe1e04184243f38402a47dc
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F861CD716546119BD31BCB68FC8AB3637FCF746701F04911BE805C66B0EBB69881CB51
                                                                                                                                                                                                              Function 0037D2C0 Relevance: 12.6, Strings: 8, Instructions: 2557COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: %$)0.N$.6<$0$@~|Z$l$l$l
                                                                                                                                                                                                              • API String ID: 0-3339051608
                                                                                                                                                                                                              • Opcode ID: fff5a9ed584ad8513e5d3631e67dce374d3af39581bec75c4d7ff3c1e1038dfa
                                                                                                                                                                                                              • Instruction ID: 48693ac155101630c6ba2c045778655b8e50499a81b55d39edbff8fa45ca6420
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fff5a9ed584ad8513e5d3631e67dce374d3af39581bec75c4d7ff3c1e1038dfa
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9E43BA76A14201CFC72BCF28ED9266A77F9FB5A310F14812BD40ADB6B4E7399841CB45
                                                                                                                                                                                                              Function 0038A050 Relevance: 7.8, APIs: 5, Instructions: 288serviceCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000,00000001), ref: 0038A124
                                                                                                                                                                                                              • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,0000000A,?,00000000,?,00000000,00000001), ref: 0038A164
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00000000,00000001), ref: 0038A176
                                                                                                                                                                                                              • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,-0000001A,0000000A,?,00000000,00000001), ref: 0038A24F
                                                                                                                                                                                                                • Part of subcall function 0036BBA0: wvsprintfA.USER32(00000000,?,003809D1), ref: 0036BBEB
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,00000001), ref: 0038A44C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenServicewvsprintf
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 475583450-0
                                                                                                                                                                                                              • Opcode ID: 127448c40db118124771fb1cb41b5c072340bbd44bec4bc04e3f8d8f7ae0a0c4
                                                                                                                                                                                                              • Instruction ID: 1ec75864f74c7df5578c78b7193522bcc19aadf5585857a80182f95572ea4df2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 127448c40db118124771fb1cb41b5c072340bbd44bec4bc04e3f8d8f7ae0a0c4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EBC1EF76A103009BD716DF69ED81A6AB7FDFBAA300F00812BE505DB2B0E7759941CB52
                                                                                                                                                                                                              Function 003803B9 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 420COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: !|/0$/$@(l$
                                                                                                                                                                                                              • API String ID: 0-3106747989
                                                                                                                                                                                                              • Opcode ID: 53cd9d213653e20acb6c64234554dd01c727141c7deb96893502311c6a3fe091
                                                                                                                                                                                                              • Instruction ID: 2ac8ed0ec6674f4857fdd51af72833bce6dc10a8396577a7c2c382da5e03e8d6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 53cd9d213653e20acb6c64234554dd01c727141c7deb96893502311c6a3fe091
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 81022571A103008BD71BEF64EC92ABE77BDFB55310F10816BE4069B2A1EB759A45CF90
                                                                                                                                                                                                              Function 0037C250 Relevance: 6.1, APIs: 4, Instructions: 148processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0037C312
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,?), ref: 0037C35A
                                                                                                                                                                                                              • Process32Next.KERNEL32(00000000,00000128), ref: 0037C478
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Process32$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1238713047-0
                                                                                                                                                                                                              • Opcode ID: d87760c14378a72e65a7b8630a33cc34d2ce4ff370c51ee4373ebe7f2b96a8e0
                                                                                                                                                                                                              • Instruction ID: bc0f4ceab7f327d6fd177a983a226057cf077fd80a728b6616e0d1386958b7b8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d87760c14378a72e65a7b8630a33cc34d2ce4ff370c51ee4373ebe7f2b96a8e0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6C513375910211CFD727CF24FD95AA937BDFB86301F00841BE8469A6B4EB798940CF91
                                                                                                                                                                                                              Function 00387BD0 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 591COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: :rgN
                                                                                                                                                                                                              • API String ID: 0-1384114704
                                                                                                                                                                                                              • Opcode ID: 4d89211d69dd612edb2b703286179347e695e4870a78258eafc4557475a93a01
                                                                                                                                                                                                              • Instruction ID: b9e2a455162aad0ea9d74ac57eb66472aa67274fea0aa807252037505c38814f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4d89211d69dd612edb2b703286179347e695e4870a78258eafc4557475a93a01
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1532F375A10301DBC717EF28EC8267A73BEFB96310F54845BE802DB6A5EB359941CB90
                                                                                                                                                                                                              Function 003899B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountSystemTickTime
                                                                                                                                                                                                              • String ID: @(l$
                                                                                                                                                                                                              • API String ID: 2164215191-2034585603
                                                                                                                                                                                                              • Opcode ID: 192d925970fa7f581815a71388b8a1d6012e559e400083091f9484cb296ba5c3
                                                                                                                                                                                                              • Instruction ID: aa739564ff1c4dfc9feb4411c7af4387aaaebd4dcda2fec28a26ab9c69afc080
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 192d925970fa7f581815a71388b8a1d6012e559e400083091f9484cb296ba5c3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 76418C729112108FD34BDF28FCC257677ADF7A6721F08412BD846CA671E77A9940CBA0
                                                                                                                                                                                                              Function 00385950 Relevance: 5.3, Strings: 4, Instructions: 342COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: ,L$7dsX$Pl6$W
                                                                                                                                                                                                              • API String ID: 0-545268470
                                                                                                                                                                                                              • Opcode ID: d1db13f5929bf6d0cbac14ddb70c35451e9c2d38b86b2df7960bc189db62baaf
                                                                                                                                                                                                              • Instruction ID: e2affd6bd25911ccb93f0ca58bfa5ec67ee437511972dec510815b206645a870
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d1db13f5929bf6d0cbac14ddb70c35451e9c2d38b86b2df7960bc189db62baaf
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8FE10276A107108BC70ACF29ECD156A77FAFB9A321F15822FD8069B374D7395841CB94
                                                                                                                                                                                                              Function 00382950 Relevance: 4.8, APIs: 3, Instructions: 309sleepfileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00382CB0
                                                                                                                                                                                                              • Sleep.KERNEL32(00015F90), ref: 00382E36
                                                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 00382E4D
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$DeleteModuleNameSleep
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2157229623-0
                                                                                                                                                                                                              • Opcode ID: 6f933d090b50acc2b4fc3a7473d251cbc5a36cd0082737ed461ba1874a612395
                                                                                                                                                                                                              • Instruction ID: 39f30c3440ca5b4ad22e091d98da8051dba472ca10fb2443275d415175902f4f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f933d090b50acc2b4fc3a7473d251cbc5a36cd0082737ed461ba1874a612395
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1FD134769103049BC30BEF68FC92AB637FDFB96700F04855AE4068B2B1EB759981CB51
                                                                                                                                                                                                              Function 00375F50 Relevance: 4.7, Strings: 3, Instructions: 927COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: V#7$[m#X$t#A9
                                                                                                                                                                                                              • API String ID: 0-2000824755
                                                                                                                                                                                                              • Opcode ID: 4302e559374c672d8a53e74062007efc41fc7c13474faf45cda57ebdf4e240dd
                                                                                                                                                                                                              • Instruction ID: 4d2d34fa6f9c5cd107262286cd8530265cd6dadcbb022939f5c27f1813ec3a00
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4302e559374c672d8a53e74062007efc41fc7c13474faf45cda57ebdf4e240dd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F4823776A106058FCB2BCF68ED925AE77FDFB99310F14811AD806DB364E7399841CB90
                                                                                                                                                                                                              Function 003619C0 Relevance: 4.1, Strings: 3, Instructions: 356COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: C:\Users\user$p`^p$=]
                                                                                                                                                                                                              • API String ID: 0-4116397439
                                                                                                                                                                                                              • Opcode ID: 199db9c21ed8b85964a7ad0055604fc71bfeceb885246e32a5d08b5e766fda00
                                                                                                                                                                                                              • Instruction ID: 96d2ee9398cab647dee8909cb0305fdbbbd7b9384a8a7b8c4f1295015a750839
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 199db9c21ed8b85964a7ad0055604fc71bfeceb885246e32a5d08b5e766fda00
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 39E1F572A103009FC74BEF68FC82AAA77BDFB55310F14851AE406DB2B5EB759940CB51
                                                                                                                                                                                                              Function 003644A0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 453fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 0038EEB0: CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000,00000001), ref: 0038F00B
                                                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 00364B8D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateDeleteFilePipe
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4227001771-3916222277
                                                                                                                                                                                                              • Opcode ID: 8f51eb0c42a4cc6100dd48e5591268f27acf67c58672561a52feb8d618290a5e
                                                                                                                                                                                                              • Instruction ID: 192947e5efdb9f1ad2983dce8d6916ab6c4104746b867a39bcdb793d32556a7b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8f51eb0c42a4cc6100dd48e5591268f27acf67c58672561a52feb8d618290a5e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 47023575A102148BC707EF68FC8267A77FDFB96711F10812BE405CB2A5E77A8A41CB91
                                                                                                                                                                                                              Function 00385B98 Relevance: 4.0, Strings: 3, Instructions: 203COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: ,L$Pl6$W
                                                                                                                                                                                                              • API String ID: 0-3761019080
                                                                                                                                                                                                              • Opcode ID: 742ca90650ea34e766410303c7b6d7494e6adf17422faae0c19f96d59bd6bd61
                                                                                                                                                                                                              • Instruction ID: 81478035b7d514fef7d42c4bfb1e70aa7be07cb3f590cf81410ee9e529f585f5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 742ca90650ea34e766410303c7b6d7494e6adf17422faae0c19f96d59bd6bd61
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9C81E476A117208FC71ACF29ED951AA73BAFBC9321F1A821FD8066B364D7355C41CB84
                                                                                                                                                                                                              Function 00385B96 Relevance: 4.0, Strings: 3, Instructions: 202COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: ,L$Pl6$W
                                                                                                                                                                                                              • API String ID: 0-3761019080
                                                                                                                                                                                                              • Opcode ID: 9587a9fc019996eb2f0aa2c4dda495efc553f60b8891b1f9b6a67b1e76e9de25
                                                                                                                                                                                                              • Instruction ID: 73b75bc1d319b4ce95cc312f3d9df889f66e9186bd6e1483f00b9a306743d2bd
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9587a9fc019996eb2f0aa2c4dda495efc553f60b8891b1f9b6a67b1e76e9de25
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5481E476A117208FC70ACF29ED951AA73BAFBC9321F1A821FD8066B364D7355C41CB84
                                                                                                                                                                                                              Function 0038FE10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 573COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountSystemTickTime
                                                                                                                                                                                                              • String ID: 1BJ
                                                                                                                                                                                                              • API String ID: 2164215191-3696045056
                                                                                                                                                                                                              • Opcode ID: 2ac37c0c76c85dd08c233558fe7a5eefa606b996b0eac355ec4b81fc502bd64b
                                                                                                                                                                                                              • Instruction ID: 6a785c51a1d2f8e195e0135ea6c2994634261695fd490ca8a54e5acd96fe7065
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2ac37c0c76c85dd08c233558fe7a5eefa606b996b0eac355ec4b81fc502bd64b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F421475A10200CFC70BDF68ED92AAA77BDFB96310F04812AE406DB275E7759984CF91
                                                                                                                                                                                                              Function 0037C640 Relevance: 2.7, Strings: 2, Instructions: 234COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: j7$j7
                                                                                                                                                                                                              • API String ID: 0-2901554399
                                                                                                                                                                                                              • Opcode ID: 98d3dd30ca24fd9d5f6d43dade773360313f4590c2139ffd9b9939625573f8d9
                                                                                                                                                                                                              • Instruction ID: 88b68a8c718b7514c091739f02628d0925fcfd95af0300231f3682760195a4c1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 98d3dd30ca24fd9d5f6d43dade773360313f4590c2139ffd9b9939625573f8d9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 00A12336520611CFC71BCF29EC8256633FAFB9A711F15D21BD85A8B678E7399841CB80
                                                                                                                                                                                                              Function 0038CBE0 Relevance: 2.1, APIs: 1, Instructions: 633COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetComputerNameA.KERNEL32(?,00000010), ref: 0038CD44
                                                                                                                                                                                                                • Part of subcall function 003640B0: lstrlen.KERNEL32(?,?,00361038,?), ref: 003640DD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ComputerNamelstrlen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4141851928-0
                                                                                                                                                                                                              • Opcode ID: f15947bd615fb64772aed17123373a1e67c582ebb6af11ba3e76769ca4c4e09d
                                                                                                                                                                                                              • Instruction ID: d1dd58af8213f1f9a2e77aa9679e768a25d63aebd3536fd8a7884e7d007b9c0b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f15947bd615fb64772aed17123373a1e67c582ebb6af11ba3e76769ca4c4e09d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2F52F671910205CFC70BEF64EC92ABA73BDFB56301F50816BE4069B2B1EB71A944CB65
                                                                                                                                                                                                              Function 00388BA0 Relevance: 1.9, Strings: 1, Instructions: 668COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: @H
                                                                                                                                                                                                              • API String ID: 0-679593823
                                                                                                                                                                                                              • Opcode ID: 535b2811f244efb9163138251bedd5570d4928705fb28ba2f5a3e3eb9f222fc0
                                                                                                                                                                                                              • Instruction ID: 481700b03ff782ae1c4a4f8cbb0e3d372af7a2adced98740c45dbc6d9b583150
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 535b2811f244efb9163138251bedd5570d4928705fb28ba2f5a3e3eb9f222fc0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A8522F71A142018FC70BEF29ED9267A77BDFBA2310F18816BE406CB6B1E7758941CB45
                                                                                                                                                                                                              Function 00388DD6 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: @H
                                                                                                                                                                                                              • API String ID: 0-679593823
                                                                                                                                                                                                              • Opcode ID: 13c8c3790dbc5f1f6e1f0b2c63319667bb964da2d9396fe8c05b01912503690b
                                                                                                                                                                                                              • Instruction ID: fa37e7ed6b27734bb8ed4595e1caa7a6ee0655968b4a24b81be669f0b3c0af3e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 13c8c3790dbc5f1f6e1f0b2c63319667bb964da2d9396fe8c05b01912503690b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0D120F729142418FCB07DF69EC9227A77BDFBA2310F18816BD446CB6B1E3798941CB41
                                                                                                                                                                                                              Function 00375520 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: zwfC
                                                                                                                                                                                                              • API String ID: 0-2819243322
                                                                                                                                                                                                              • Opcode ID: 92041e3872c8d87075f42b990deedc04dbdb46ee2c17f01ba5f5825666af8c8f
                                                                                                                                                                                                              • Instruction ID: 03cefe9998cc99e58286fbc7b7217450de4f03e60c89c9b08be2d0761c6fa869
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 92041e3872c8d87075f42b990deedc04dbdb46ee2c17f01ba5f5825666af8c8f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 19E1F575A006049FC70BEF68ED9296A77AEFB96310F14852FE806CB371E7759801CB91
                                                                                                                                                                                                              Function 00365730 Relevance: 1.6, Strings: 1, Instructions: 301COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: +EM
                                                                                                                                                                                                              • API String ID: 0-2077864378
                                                                                                                                                                                                              • Opcode ID: 00710b5c2b9aa678e262be97ef38c814cda3b49d53300df901944535ec3c59bd
                                                                                                                                                                                                              • Instruction ID: 6c19b6576c413d507de765e642b01d0328b65ff35f5666608261810c1a2b9f1a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 00710b5c2b9aa678e262be97ef38c814cda3b49d53300df901944535ec3c59bd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 40D10F7AA04611CBC70BCF28FDD156677ADF79A311F10C62BD8468B679E7369801CB41
                                                                                                                                                                                                              Function 00385010 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0038503B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CtrlDispatcherServiceStart
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3789849863-0
                                                                                                                                                                                                              • Opcode ID: e16abdfecd3f59b2640092fc8532ef930db4d401a15effdc18dd091aa55fe6a7
                                                                                                                                                                                                              • Instruction ID: 1176e120d3295647b95372728aafb3485ed6173c4def6c6be2e7945841715642
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e16abdfecd3f59b2640092fc8532ef930db4d401a15effdc18dd091aa55fe6a7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 92F01271D142088FC706CFA8E8414AABBF8FB16315F004969E805C3324F7359A10CB81
                                                                                                                                                                                                              Function 003885E0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: !B%I
                                                                                                                                                                                                              • API String ID: 0-2905040698
                                                                                                                                                                                                              • Opcode ID: a08fb361fc45dea30778dfcfe6506a164ea6de9f87d83ddcb9a3a4432774a147
                                                                                                                                                                                                              • Instruction ID: d18b483b50031c0cdd6839b9a5cf7671b134fa1132d5ace87a33cb4c1a606bc9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a08fb361fc45dea30778dfcfe6506a164ea6de9f87d83ddcb9a3a4432774a147
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8AB10036A142408FC30ACF29EC8152A7BFEFBA6311F14C16BD845DB6B5E7398942CB51
                                                                                                                                                                                                              Function 003777A1 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: eH(
                                                                                                                                                                                                              • API String ID: 0-1750492490
                                                                                                                                                                                                              • Opcode ID: 25e0e5d406727248134ac58d761c1aa99119f7b7c7d5fe1af6eee0c677544de6
                                                                                                                                                                                                              • Instruction ID: 73015b158044932bd44e07a7e4bd63bc4bb416d96b3a145e5447c8ea8f5d7066
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 25e0e5d406727248134ac58d761c1aa99119f7b7c7d5fe1af6eee0c677544de6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E391ED765042218BC35ACF69EC9263677FDFB96321F01812FE816CB6B1E7398801CB91
                                                                                                                                                                                                              Function 003777F0 Relevance: 1.5, Strings: 1, Instructions: 211COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: eH(
                                                                                                                                                                                                              • API String ID: 0-1750492490
                                                                                                                                                                                                              • Opcode ID: 0db767afd1d25bb5aa3e80ee846462849abe3d2918e7f16532763d6f42826515
                                                                                                                                                                                                              • Instruction ID: 7594a8eca76eb97acedea89893fbdde465231b6d3e6382be18c94f4e1cb8a63b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0db767afd1d25bb5aa3e80ee846462849abe3d2918e7f16532763d6f42826515
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F291EE76514221CBC31ACF69EC9263677FDFB96321F01812EE816CB6B0E7798801CB91
                                                                                                                                                                                                              Function 00365894 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: +EM
                                                                                                                                                                                                              • API String ID: 0-2077864378
                                                                                                                                                                                                              • Opcode ID: 195f716bcf63305863608ab7023ffbe1e9af5fcdf8433dd7317b46b76cd7cb6d
                                                                                                                                                                                                              • Instruction ID: 99cea096e0b5f46f844087796e792a45bb30106ace850c3a77801f351b60d755
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 195f716bcf63305863608ab7023ffbe1e9af5fcdf8433dd7317b46b76cd7cb6d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DC710D7A904641CFC70BCF28EDC01657BEDF79A311F25C62BD8868B269E7369846CB41
                                                                                                                                                                                                              Function 00374420 Relevance: 1.0, Instructions: 983COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: dcd233ce641302441a250c8194a1a82cf77f85dbfdcc532f0754eca46148dd89
                                                                                                                                                                                                              • Instruction ID: 9b71f3556c48f5378c801ea7a6e94f5ed4d388a7eff8c62ab121bc93340b1ef6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dcd233ce641302441a250c8194a1a82cf77f85dbfdcc532f0754eca46148dd89
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 36920675900205DFCB1BDF68ED919BA77BDFB99310F00811BE80ADB260E7799941CB91
                                                                                                                                                                                                              Function 00383AF0 Relevance: .4, Instructions: 416COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 3fb623972f05c22cf6924f7b90f74e98d3e29672e804eafc8d55a77365ffad41
                                                                                                                                                                                                              • Instruction ID: f5e3eacbcf7e6492c65ec41ba767232dab3403e99650b7a15500e7051e1cb2a0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3fb623972f05c22cf6924f7b90f74e98d3e29672e804eafc8d55a77365ffad41
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EE02FD76A142018BCB0AEF28EC9227A77FDFB5A711F14811BD816DBB70E7758981CB44
                                                                                                                                                                                                              Function 0038ABB0 Relevance: .3, Instructions: 325COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 9e5e8dcf7aecd96af655f5efca0ef670058ca5e9f559805f89600e8a515c1aca
                                                                                                                                                                                                              • Instruction ID: f640984aa1ab0515cd26f56e9a018961938cba23cf437df00ea85081819d7da6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9e5e8dcf7aecd96af655f5efca0ef670058ca5e9f559805f89600e8a515c1aca
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DBE1FE72A14610CBC30BCF29EC81526B7FEFB9A311F50811BD406CB678EB3A9941CB51
                                                                                                                                                                                                              Function 00362F90 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 8f5361a8273c192098b73b433ed6fa303c6cec43aa0242f560816ce3b4c65b55
                                                                                                                                                                                                              • Instruction ID: 1300d904d596d9bb63c00b322726674807b87b5e6710459ab04c9a7b7f5b372f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8f5361a8273c192098b73b433ed6fa303c6cec43aa0242f560816ce3b4c65b55
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FDC126356102058FDB27DF28FC8167577A8FB56311F11822BE806CB7A5E7769A81CB81
                                                                                                                                                                                                              Function 00374A29 Relevance: .3, Instructions: 255COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: cc84900c585cfc957e9113970e6536603b41916496c53a4b86ac02747a4dd5d3
                                                                                                                                                                                                              • Instruction ID: 0c4a4515c4461eb23801436c346608ad1a13fb0888e32595b8da91366890036c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cc84900c585cfc957e9113970e6536603b41916496c53a4b86ac02747a4dd5d3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EAB19F75A10606CBC72BDF28EC9157A77BDFB9A310F11811BE806DB660E739E840CB91
                                                                                                                                                                                                              Function 003845A0 Relevance: .2, Instructions: 245COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: b28b81d1cb008f48afa84a4c194ce41a756c82b78a4149b7f784f2da35ac3927
                                                                                                                                                                                                              • Instruction ID: 7e639efb4a9d6ffba3a0c11ec016c4bd6efb5ca4f82c110dec0ad0df057301f0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b28b81d1cb008f48afa84a4c194ce41a756c82b78a4149b7f784f2da35ac3927
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 14B1B876A11210CFC30ACF29ED9216577FAFB9A321F15812FD8468B674E77A9841CF84
                                                                                                                                                                                                              Function 00390850 Relevance: .2, Instructions: 228COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$AllocateProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1357844191-0
                                                                                                                                                                                                              • Opcode ID: f69ad95ddf69e131b5e05ca033b35074d0fef201758359d45644339968433533
                                                                                                                                                                                                              • Instruction ID: 308d643bbd80f8e3a43f3a2e36910f13cda6e68d9ca0720bd720037f4ee64645
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f69ad95ddf69e131b5e05ca033b35074d0fef201758359d45644339968433533
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6B81E1756142018FCB1BDF28EC92A3A33FDFB96310F00851AE406CB365EB399841CB94
                                                                                                                                                                                                              Function 0036B150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156filetimeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0036B1D7
                                                                                                                                                                                                              • GetFileTime.KERNEL32(00000000,?,?,?), ref: 0036B256
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0036B26B
                                                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0036B2E7
                                                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 0036B31A
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0036B334
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                              • String ID: td9k
                                                                                                                                                                                                              • API String ID: 3236713533-1579400769
                                                                                                                                                                                                              • Opcode ID: ee0d90fe71905b512fb5d1eb12935853ec7a7e7419fdd351c98fcd7c9a55ced4
                                                                                                                                                                                                              • Instruction ID: 334993840a765135ad76ee7833557e9684b5b6668dbf6e88046e78e81605de79
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ee0d90fe71905b512fb5d1eb12935853ec7a7e7419fdd351c98fcd7c9a55ced4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0151C176A152059FD306CF69FC81A6AB7BCFB86314F10821BE805CB2B4E7359941CF85
                                                                                                                                                                                                              Function 0036B531 Relevance: 12.2, APIs: 8, Instructions: 188registrysynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegisterServiceCtrlHandlerA.ADVAPI32(00CA05B8,Function_00014290,?,?,00000072), ref: 0036B669
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,003A67EC,?,?,00000072), ref: 0036B70D
                                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000072), ref: 0036B721
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,003A67EC,?,?,00000072), ref: 0036B771
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,00001388,?,?,00000072), ref: 0036B7D0
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,003A67EC,00000072), ref: 0036B82A
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0036B841
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,003A67EC), ref: 0036B8AA
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3399922960-0
                                                                                                                                                                                                              • Opcode ID: 70c4bf7fc0df9cc5f44fb3a69d08201a012c51f6eb74e9ad3a2b1f0f4fdd6998
                                                                                                                                                                                                              • Instruction ID: 4a385601f969cd73a76a29ba668a1a34c03335094c2f687acde7fd7bf6605ece
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 70c4bf7fc0df9cc5f44fb3a69d08201a012c51f6eb74e9ad3a2b1f0f4fdd6998
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3981BC7A525211CFC30BCF29FD969267BBDF79A705F04851AE412CA2B4E77A9841CF40
                                                                                                                                                                                                              Function 00381E90 Relevance: 10.7, APIs: 7, Instructions: 238processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00381F5E
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,00000128), ref: 00381FDC
                                                                                                                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003820A2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3397401024-0
                                                                                                                                                                                                              • Opcode ID: 3866a8e978d27a0dc01954a157ac42822a8cbbcf5241537bcf099266b9187c94
                                                                                                                                                                                                              • Instruction ID: 4aa70dfb92b69498dd3f10ffd31c8088c6b2628552cebc7a8a1cca392124f9cc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3866a8e978d27a0dc01954a157ac42822a8cbbcf5241537bcf099266b9187c94
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E4A1BCB5901310CFC71BEF28ED96AAA77BDFB66311F10415BD806CA2B4E7369A40CB40
                                                                                                                                                                                                              Function 0038BADC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 003640B0: lstrlen.KERNEL32(?,?,00361038,?), ref: 003640DD
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000000), ref: 0038BC6C
                                                                                                                                                                                                              • Module32First.KERNEL32(00000000,00000224), ref: 0038BCE6
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 0038BE0E
                                                                                                                                                                                                              • Process32Next.KERNEL32(?,00000128), ref: 0038BE48
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0038BE96
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandle$CreateFirstModule32NextProcess32SnapshotToolhelp32lstrlen
                                                                                                                                                                                                              • String ID: 9y8
                                                                                                                                                                                                              • API String ID: 2493088380-3592070472
                                                                                                                                                                                                              • Opcode ID: 2c3acb3a8a4f704de426084008572a5e4b0aaeabed1b6dcd0da67dd72b6590a3
                                                                                                                                                                                                              • Instruction ID: 50f3c41e66b1d27cd491c50f964fb30acb535dde2a4e997fb5e9bc190f91ce3a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2c3acb3a8a4f704de426084008572a5e4b0aaeabed1b6dcd0da67dd72b6590a3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7B71E171A102028FDB1BDF29ED92A7A77BDFB9A310F00815FE406CB2A0E7759941CB51
                                                                                                                                                                                                              Function 00381FF6 Relevance: 7.7, APIs: 5, Instructions: 157COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00372290: lstrlen.KERNEL32(?), ref: 003722A2
                                                                                                                                                                                                                • Part of subcall function 00372290: CharLowerBuffA.USER32(?,00000000), ref: 003722BE
                                                                                                                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003820A2
                                                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00382132
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0038217B
                                                                                                                                                                                                              • Process32Next.KERNEL32(00000000,00000128), ref: 00382228
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0038227B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandleProcess$BuffCharLowerNextOpenProcess32Terminatelstrlen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3465298759-0
                                                                                                                                                                                                              • Opcode ID: 71950190e3e0ba69b0209d6d6e4ca02d2a2439209e17a0087b4d235fcdcd99c9
                                                                                                                                                                                                              • Instruction ID: 082f2964b9097dafb5e54d136e39c425a1c471fa435571e3f7f7ddfbb8b58fda
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 71950190e3e0ba69b0209d6d6e4ca02d2a2439209e17a0087b4d235fcdcd99c9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8C61CB75A01304CBC71BEF28ED96AAA73BDFB66310F10415BE8068A275D7369A41CF85
                                                                                                                                                                                                              Function 00381950 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,00388262,Function_00001300,00000001,?), ref: 0038199B
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 003819C2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00388262,Function_00001300,00000001,?), ref: 003819DD
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00388262,Function_00001300,00000001,?), ref: 003819F2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,000000FF,?,00388262,Function_00001300,00000001,?), ref: 00381A19
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1404307249-0
                                                                                                                                                                                                              • Opcode ID: fa1321d9748c59a06534cc7d200f981d54998af8dd73cf6f91ed1d76c93ff30d
                                                                                                                                                                                                              • Instruction ID: 5d5b3c18d4de80a2f2fc05c4a12c1b56ec370a4819f8c04c4ac5feb3549e00a9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fa1321d9748c59a06534cc7d200f981d54998af8dd73cf6f91ed1d76c93ff30d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C221E1352103049FD316DF64EC96B267BACFB49710F14821AF9468B6F4D7B69840CB95
                                                                                                                                                                                                              Function 00377110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00377221
                                                                                                                                                                                                              • RegSetValueExA.ADVAPI32(?,00CA0830,00000000,00000001,?,00000000), ref: 003772E0
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00377300
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseOpenValue
                                                                                                                                                                                                              • String ID: IR
                                                                                                                                                                                                              • API String ID: 779948276-3379982419
                                                                                                                                                                                                              • Opcode ID: 3df954b23d7d0c6d721624bfd9b7b25450cf4c6f77e9922da9cff6e17ad2cd22
                                                                                                                                                                                                              • Instruction ID: 050c010acc94bfad02791bd7cc82c16fd11dfb0064fb09a62f3e5fbbe1c65d27
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3df954b23d7d0c6d721624bfd9b7b25450cf4c6f77e9922da9cff6e17ad2cd22
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4A41113A6102109BD716DF28EC86A7737FDE79A321F14812BE806CB771E7798841CB95
                                                                                                                                                                                                              Function 0038E880 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 0038E966
                                                                                                                                                                                                              • ReadFile.KERNEL32(00000000,?,00005000,00000000,00000000), ref: 0038E9D7
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0038EADD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandleRead
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1035965006-0
                                                                                                                                                                                                              • Opcode ID: fe157df490abedda0b3cac3088219a6cebbac84c57eb601e23e7b6dd780db25e
                                                                                                                                                                                                              • Instruction ID: 68f3fbc900c4c7178cd5d4b5ecbcc9cfc41c8e6f34bdd860a4742dc6e6d70103
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fe157df490abedda0b3cac3088219a6cebbac84c57eb601e23e7b6dd780db25e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0B81EE766103049FD307EF68EC92A6A33BDF786700F00555BE806CB2A5EB76A841CF95
                                                                                                                                                                                                              Function 0038FAD0 Relevance: 6.0, APIs: 4, Instructions: 28memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00390A87,00000000,?,?,?,?,?,00000001), ref: 0038FAF7
                                                                                                                                                                                                              • RtlReAllocateHeap.NTDLL(00000000,?,00390A87,00000000), ref: 0038FAFE
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,00390A87,00000000,?,?,?,?,?,00000001), ref: 0038FB19
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000,?,00390A87,00000000,?,?,?,?,?,00000001), ref: 0038FB20
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1154092256-0
                                                                                                                                                                                                              • Opcode ID: b556ee720742ed5bbe3bd2e1d40d7ca57fdbdcb68224a7a54e57ba40f68316e0
                                                                                                                                                                                                              • Instruction ID: 954df124c09e067597bc0ea98c8e190779c446ace3f34150ed86f01c93590e15
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b556ee720742ed5bbe3bd2e1d40d7ca57fdbdcb68224a7a54e57ba40f68316e0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9DF03971210304FFDB06AFB0EC0AAAA3B6CFF89711F148005F919C76A0EB329940CB61
                                                                                                                                                                                                              Function 00363DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetSystemTimeAsFileTime.KERNEL32(00000001,00000001,00000000,00000001,00000000), ref: 00363E43
                                                                                                                                                                                                              • __aulldiv.LIBCMT ref: 00363E74
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.2191845263.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191828599.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191874510.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191889567.0000000000393000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.0000000000396000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191914098.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.2191991153.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_360000_66HKNPT1fl.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Time$FileSystem__aulldiv
                                                                                                                                                                                                              • String ID: L9<8
                                                                                                                                                                                                              • API String ID: 2838486344-2160928743
                                                                                                                                                                                                              • Opcode ID: 1bef48dcad9d6c06f14500c381fbe152a21fd1086796940131f93ec7d53743b4
                                                                                                                                                                                                              • Instruction ID: 46f6e9303afac90e3af0b53c9af5b62d7a873ae50e77653053da3ec75b288ce9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1bef48dcad9d6c06f14500c381fbe152a21fd1086796940131f93ec7d53743b4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CD41E0B6A142108FC70BCF18EDA156977BEFB9A714F21811FE4038BA74D3769941CB91

                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                              Execution Coverage:13.6%
                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                              Signature Coverage:2.7%
                                                                                                                                                                                                              Total number of Nodes:1946
                                                                                                                                                                                                              Total number of Limit Nodes:24
                                                                                                                                                                                                              execution_graph 10317 51000 10318 51024 10317->10318 10321 540b0 lstrlen 10318->10321 10320 51038 10321->10320 10668 51300 10669 5131b 10668->10669 10724 71a90 10669->10724 10671 51394 10672 797d0 4 API calls 10671->10672 10678 5178c 10671->10678 10673 513f9 10672->10673 10674 55730 2 API calls 10673->10674 10675 51419 10674->10675 10676 5b980 9 API calls 10675->10676 10677 5144e 10676->10677 10679 73840 2 API calls 10677->10679 10680 51468 10679->10680 10727 55cc0 10680->10727 10685 75810 8 API calls 10686 514ae 10685->10686 10687 55730 2 API calls 10686->10687 10688 514e8 10687->10688 10689 74a90 9 API calls 10688->10689 10690 5150d 10689->10690 10691 75810 8 API calls 10690->10691 10692 51519 10691->10692 10693 73840 2 API calls 10692->10693 10694 51533 10693->10694 10695 65b60 8 API calls 10694->10695 10696 51573 10695->10696 10697 75810 8 API calls 10696->10697 10698 5157c 10697->10698 10733 76b70 10698->10733 10700 515a6 10737 544a0 10700->10737 10702 515c0 10703 78ba0 9 API calls 10702->10703 10704 515fb 10703->10704 10794 57640 10704->10794 10707 55730 2 API calls 10708 51635 10707->10708 10709 74a90 9 API calls 10708->10709 10710 51661 10709->10710 10711 75810 8 API calls 10710->10711 10712 5166d 10711->10712 10713 73840 2 API calls 10712->10713 10714 51694 10713->10714 10715 51890 8 API calls 10714->10715 10716 516c2 10715->10716 10717 56660 8 API calls 10716->10717 10718 51716 10717->10718 10719 55730 2 API calls 10718->10719 10720 51754 10719->10720 10798 701b0 10720->10798 10722 5177a 10723 73840 2 API calls 10722->10723 10723->10678 10725 51890 8 API calls 10724->10725 10726 71abf SetEvent 10725->10726 10726->10671 10898 5ab70 10727->10898 10730 676c0 10731 78a40 8 API calls 10730->10731 10732 514a2 10731->10732 10732->10685 10734 76b8d 10733->10734 10735 714f0 8 API calls 10734->10735 10736 76c57 10735->10736 10736->10700 10738 544c4 10737->10738 10739 55730 2 API calls 10738->10739 10744 54611 10738->10744 10740 545e0 10739->10740 10741 5b980 9 API calls 10740->10741 10742 545ff 10741->10742 10743 73840 2 API calls 10742->10743 10743->10744 10745 546a4 10744->10745 10746 54789 10744->10746 10747 55730 2 API calls 10745->10747 10749 55730 2 API calls 10746->10749 10748 546c6 10747->10748 10750 5b980 9 API calls 10748->10750 10751 547cf 10749->10751 10752 546e5 10750->10752 10906 53640 10751->10906 10753 73840 2 API calls 10752->10753 10755 5476a 10753->10755 10755->10702 10756 547f9 10757 73840 2 API calls 10756->10757 10758 54819 10757->10758 10759 548ac 10758->10759 10760 5483f 10758->10760 10919 55600 GetModuleFileNameA 10759->10919 10762 55730 2 API calls 10760->10762 10764 54855 10762->10764 10765 5b980 9 API calls 10764->10765 10768 54886 10765->10768 10766 5493c 10770 55f60 lstrlen 10766->10770 10767 548c9 10769 55730 2 API calls 10767->10769 10772 73840 2 API calls 10768->10772 10773 548e9 10769->10773 10771 54967 10770->10771 10921 7b310 10771->10921 10775 54898 10772->10775 10776 5b980 9 API calls 10773->10776 10775->10702 10778 54901 10776->10778 10779 73840 2 API calls 10778->10779 10781 5491f 10779->10781 10781->10702 10783 55730 2 API calls 10784 549d2 10783->10784 10785 73840 2 API calls 10784->10785 10786 549fd 10785->10786 10929 540b0 lstrlen 10786->10929 10788 54a3e 10789 73060 5 API calls 10788->10789 10790 54a79 10789->10790 10930 7eeb0 10790->10930 10793 54bb6 10793->10702 10795 5765b 10794->10795 10796 76ff0 8 API calls 10795->10796 10797 5161f 10796->10797 10797->10707 10799 70218 10798->10799 10800 53dc0 GetSystemTimeAsFileTime 10799->10800 10801 702bf 10800->10801 11127 540b0 lstrlen 10801->11127 10803 70342 10803->10722 10805 704d8 11129 540b0 lstrlen 10805->11129 10806 70300 10806->10803 11128 540b0 lstrlen 10806->11128 10808 704e6 10809 55730 2 API calls 10808->10809 10869 70b61 10808->10869 10810 705a8 10809->10810 10811 5b980 9 API calls 10810->10811 10812 705c0 10811->10812 10813 73840 2 API calls 10812->10813 10814 705d2 10813->10814 10815 70779 10814->10815 10817 55730 2 API calls 10814->10817 10816 74a90 9 API calls 10815->10816 10818 707b9 10816->10818 10819 70637 10817->10819 10820 75810 8 API calls 10818->10820 10822 575a0 9 API calls 10819->10822 10821 707c5 10820->10821 10823 55730 2 API calls 10821->10823 10824 70669 10822->10824 10825 707e6 10823->10825 10829 73840 2 API calls 10824->10829 10826 74a90 9 API calls 10825->10826 10827 70810 10826->10827 10828 75810 8 API calls 10827->10828 10830 7081c 10828->10830 10832 706aa 10829->10832 10831 73840 2 API calls 10830->10831 10833 7084e 10831->10833 10832->10815 10834 76b70 8 API calls 10832->10834 10835 74a90 9 API calls 10833->10835 10836 70712 10834->10836 10837 7086d 10835->10837 10838 55730 2 API calls 10836->10838 10839 75810 8 API calls 10837->10839 10840 7074f 10838->10840 10844 7087c 10839->10844 10841 5b980 9 API calls 10840->10841 10842 70767 10841->10842 10843 73840 2 API calls 10842->10843 10843->10815 10848 55730 2 API calls 10844->10848 10882 70a19 10844->10882 10845 55730 2 API calls 10846 70a59 10845->10846 10847 74a90 9 API calls 10846->10847 10849 70a77 10847->10849 10850 708e7 10848->10850 10851 75810 8 API calls 10849->10851 10852 74a90 9 API calls 10850->10852 10856 70a83 10851->10856 10853 70902 10852->10853 10854 75810 8 API calls 10853->10854 10855 70911 10854->10855 10858 55730 2 API calls 10855->10858 10857 73840 2 API calls 10856->10857 10859 70acb 10857->10859 10860 70932 10858->10860 10861 70b1c socket 10859->10861 10863 75810 8 API calls 10859->10863 10862 73840 2 API calls 10860->10862 10861->10869 10870 70bb0 10861->10870 10864 70993 10862->10864 10863->10861 11130 5bba0 wvsprintfA 10864->11130 10865 70c70 gethostbyname 10866 70c99 inet_ntoa inet_addr htons connect 10865->10866 10865->10869 10872 70d44 10866->10872 10877 70d6d 10866->10877 10869->10722 10870->10865 10871 70c45 setsockopt 10870->10871 10871->10865 10872->10722 10873 709d1 10874 73840 2 API calls 10873->10874 10875 709e3 10874->10875 10876 74a90 9 API calls 10875->10876 10878 70a0a 10876->10878 10879 70d93 send 10877->10879 10880 75810 8 API calls 10878->10880 10881 70daf 10879->10881 10880->10882 10883 70db3 10881->10883 10884 56660 8 API calls 10881->10884 10882->10845 10883->10722 10897 70deb 10884->10897 10885 70e5b recv 10886 71275 closesocket 10885->10886 10885->10897 10886->10869 10888 712ae 10886->10888 10889 76b70 8 API calls 10888->10889 10889->10869 10890 80850 8 API calls 10890->10897 10891 51890 8 API calls 10891->10897 10892 71265 10892->10886 10893 73840 GetProcessHeap RtlFreeHeap 10893->10897 10895 55730 GetProcessHeap RtlAllocateHeap 10895->10897 10896 575a0 9 API calls 10896->10897 10897->10885 10897->10886 10897->10890 10897->10891 10897->10892 10897->10893 10897->10895 10897->10896 11131 52bb0 10897->11131 11135 776d0 10897->11135 10899 5ab7b 10898->10899 10902 7c960 10899->10902 10903 7c97c 10902->10903 10904 76ff0 8 API calls 10903->10904 10905 51499 10904->10905 10905->10730 10908 53672 10906->10908 10907 536d6 10907->10756 10908->10907 10954 52710 10908->10954 10912 537bd 10915 53772 10912->10915 10964 56bf0 10912->10964 10914 53834 10971 52f90 10914->10971 10982 74b20 10915->10982 10920 548c2 10919->10920 10920->10766 10920->10767 10922 7b367 10921->10922 10923 54994 10922->10923 10924 77040 9 API calls 10922->10924 10925 53480 10923->10925 10924->10923 10926 534a7 10925->10926 10927 535ea 10926->10927 10928 7b310 9 API calls 10926->10928 10927->10783 10928->10926 10929->10788 10931 7efa4 10930->10931 10932 7efd0 CreatePipe 10931->10932 10933 7f038 SetHandleInformation CreatePipe 10932->10933 10937 7f015 10932->10937 10935 7f104 SetHandleInformation 10933->10935 10936 7f0b0 10933->10936 10944 7f167 10935->10944 10938 7f377 CloseHandle 10936->10938 10940 56660 8 API calls 10937->10940 10942 54b5e DeleteFileA 10937->10942 10938->10937 10941 7f3a5 CloseHandle 10938->10941 10940->10942 10941->10937 10942->10793 10943 7f297 CreateProcessA 10945 7f2e0 10943->10945 10944->10943 10946 7f345 CloseHandle CloseHandle 10945->10946 10947 7f42a WriteFile 10945->10947 10946->10938 10947->10946 10948 7f49f CloseHandle CloseHandle 10947->10948 10951 7f502 10948->10951 11120 71720 10951->11120 10955 5274d 10954->10955 10956 570e0 4 API calls 10955->10956 10957 527bd 10956->10957 10958 752f0 4 API calls 10957->10958 10959 527e3 10957->10959 10958->10959 10959->10915 10960 752f0 10959->10960 10961 75311 10960->10961 10962 570e0 4 API calls 10961->10962 10963 7533c 10962->10963 10963->10912 10985 635f0 10964->10985 10968 56c50 10997 785e0 10968->10997 10970 56c6a 10970->10914 10973 52f9d 10971->10973 10972 53470 10972->10915 10973->10972 11009 7fc20 10973->11009 10975 5307d 10976 55730 2 API calls 10975->10976 10978 530f5 10975->10978 10981 532fa 10975->10981 10979 532ab 10976->10979 10977 55730 2 API calls 10977->10978 10978->10915 10979->10978 10980 73840 2 API calls 10979->10980 10980->10981 10981->10977 10981->10978 10983 67450 2 API calls 10982->10983 10984 53984 10983->10984 10984->10756 10986 6360f 10985->10986 10987 55730 2 API calls 10986->10987 10988 63686 10987->10988 10989 73840 2 API calls 10988->10989 10990 56c32 10989->10990 10991 67bf0 10990->10991 10992 67c2d 10991->10992 10994 67de8 10991->10994 10993 67d1d 10992->10993 11003 75950 10992->11003 10993->10994 10995 75950 4 API calls 10993->10995 10994->10968 10995->10993 10998 78665 10997->10998 10999 67bf0 4 API calls 10998->10999 11000 788e3 10999->11000 11001 67bf0 4 API calls 11000->11001 11002 78909 11001->11002 11002->10970 11004 759a4 11003->11004 11005 55730 2 API calls 11004->11005 11006 75b5f 11005->11006 11007 73840 2 API calls 11006->11007 11008 75e79 11007->11008 11008->10993 11010 7fc5c 11009->11010 11011 52710 4 API calls 11010->11011 11013 7fc82 11011->11013 11012 67450 2 API calls 11014 7fda5 11012->11014 11015 7fcb5 11013->11015 11016 7fd03 11013->11016 11020 7fd51 11013->11020 11014->10975 11017 67450 2 API calls 11015->11017 11021 64420 11016->11021 11019 7fcea 11017->11019 11019->10975 11020->11012 11023 6444f 11021->11023 11022 653c0 11022->11020 11023->11022 11024 570e0 4 API calls 11023->11024 11025 64686 11024->11025 11026 570e0 4 API calls 11025->11026 11056 64be5 11025->11056 11028 646cf 11026->11028 11027 65323 11030 65395 11027->11030 11031 65389 11027->11031 11032 570e0 4 API calls 11028->11032 11028->11056 11029 67450 2 API calls 11029->11056 11034 67450 2 API calls 11030->11034 11033 67450 2 API calls 11031->11033 11036 6470a 11032->11036 11035 65390 11033->11035 11034->11035 11035->11020 11037 752f0 4 API calls 11036->11037 11047 6473a 11036->11047 11036->11056 11038 64789 11037->11038 11038->11056 11057 63b00 11038->11057 11040 647b1 11040->11056 11061 622e0 11040->11061 11041 6488f 11044 66dc0 4 API calls 11041->11044 11042 6487c 11043 622e0 4 API calls 11042->11043 11046 6488a 11043->11046 11044->11046 11048 66dc0 4 API calls 11046->11048 11047->11041 11047->11042 11047->11056 11049 648eb 11048->11049 11050 570e0 4 API calls 11049->11050 11049->11056 11051 64980 11050->11051 11052 66dc0 4 API calls 11051->11052 11051->11056 11054 649af 11052->11054 11053 570e0 4 API calls 11053->11054 11054->11053 11055 66dc0 4 API calls 11054->11055 11054->11056 11055->11054 11056->11027 11056->11029 11058 63b94 11057->11058 11059 570e0 4 API calls 11058->11059 11060 63bca 11058->11060 11059->11060 11060->11040 11060->11060 11062 6232a 11061->11062 11069 65f50 11062->11069 11064 62356 11065 567e0 4 API calls 11064->11065 11066 623cf 11064->11066 11068 62396 11064->11068 11065->11064 11066->11047 11068->11066 11111 77930 11068->11111 11071 65f9b 11069->11071 11070 65fc0 11070->11064 11071->11070 11072 660a5 11071->11072 11073 6603b 11071->11073 11074 66dc0 4 API calls 11072->11074 11075 66054 11073->11075 11077 752f0 4 API calls 11073->11077 11080 660b9 11074->11080 11076 66086 11075->11076 11078 66dc0 4 API calls 11075->11078 11104 66079 11075->11104 11076->11064 11077->11075 11078->11104 11079 67450 2 API calls 11081 66d9a 11079->11081 11082 66dc0 4 API calls 11080->11082 11080->11104 11081->11064 11083 6612e 11082->11083 11084 570e0 4 API calls 11083->11084 11083->11104 11085 6617a 11084->11085 11086 752f0 4 API calls 11085->11086 11085->11104 11087 6619b 11086->11087 11088 570e0 4 API calls 11087->11088 11087->11104 11089 661c5 11088->11089 11090 570e0 4 API calls 11089->11090 11089->11104 11091 661e7 11090->11091 11092 63b00 4 API calls 11091->11092 11093 662c4 11091->11093 11091->11104 11095 66277 11092->11095 11094 63b00 4 API calls 11093->11094 11093->11104 11099 66391 11094->11099 11096 63b00 4 API calls 11095->11096 11095->11104 11096->11093 11097 77930 4 API calls 11097->11099 11098 66c28 11100 66dc0 4 API calls 11098->11100 11101 66c7a 11098->11101 11099->11097 11105 6641d 11099->11105 11100->11101 11102 66dc0 4 API calls 11101->11102 11101->11104 11102->11104 11103 752f0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11103->11105 11104->11076 11104->11079 11105->11098 11105->11103 11105->11104 11106 511a0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11105->11106 11107 77930 4 API calls 11105->11107 11108 66dc0 4 API calls 11105->11108 11109 63b00 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11105->11109 11110 567e0 4 API calls 11105->11110 11106->11105 11107->11105 11108->11105 11109->11105 11110->11105 11112 77b39 11111->11112 11113 77978 11111->11113 11114 6c640 4 API calls 11112->11114 11115 77a45 11113->11115 11116 7799d 11113->11116 11119 779c4 11114->11119 11118 764f0 4 API calls 11115->11118 11117 764f0 4 API calls 11116->11117 11117->11119 11118->11119 11119->11068 11121 7172d 11120->11121 11122 56660 8 API calls 11121->11122 11125 717f3 11122->11125 11123 7184d ReadFile 11124 718fa WaitForSingleObject CloseHandle CloseHandle 11123->11124 11123->11125 11124->10937 11125->11123 11125->11124 11126 51890 8 API calls 11125->11126 11126->11125 11127->10806 11128->10805 11129->10808 11130->10873 11132 52bd3 11131->11132 11134 52c20 11131->11134 11133 53dc0 GetSystemTimeAsFileTime 11132->11133 11133->11134 11134->10897 11136 55730 2 API calls 11135->11136 11137 7770d 11136->11137 11138 575a0 9 API calls 11137->11138 11139 77742 11138->11139 11140 73840 2 API calls 11139->11140 11142 77786 11140->11142 11141 777b9 11141->10897 11142->11141 11143 55730 2 API calls 11142->11143 11144 77816 11143->11144 11145 575a0 9 API calls 11144->11145 11146 77867 11145->11146 11147 73840 2 API calls 11146->11147 11148 77898 11147->11148 11148->10897 11149 71300 11150 72320 lstrlen 11149->11150 11151 7130f 11150->11151 11242 6c389 11244 6c390 11242->11244 11245 6c4a2 CloseHandle 11244->11245 11246 6c441 Process32Next 11244->11246 11249 62290 lstrlen CharLowerBuffA 11244->11249 11248 6c4e5 11245->11248 11246->11244 11246->11245 11249->11244 10526 67496 10529 674a0 10526->10529 10527 675ba 10528 6c520 2 API calls 10528->10529 10529->10527 10529->10528 11250 75b96 11251 75ba0 11250->11251 11252 73840 2 API calls 11251->11252 11253 75e79 11252->11253 10322 71814 10325 71820 10322->10325 10323 7184d ReadFile 10324 718fa 10323->10324 10323->10325 10325->10323 10325->10324 10326 51890 8 API calls 10325->10326 10326->10325 10530 55c90 10531 55c9b 10530->10531 10532 55ca7 10531->10532 10533 51fc0 2 API calls 10531->10533 10533->10532 10538 64290 10539 642b3 10538->10539 10540 642ba SetServiceStatus 10538->10540 10539->10540 10542 642e7 SetServiceStatus SetEvent 10539->10542 10543 642d3 10539->10543 10544 64350 10540->10544 10542->10544 10543->10542 10331 7fe10 10332 7fe46 10331->10332 10333 799b0 3 API calls 10332->10333 10334 7ff15 10333->10334 10335 560a0 10 API calls 10334->10335 10336 7ff81 10335->10336 10337 75860 lstrlen 10336->10337 10338 7ff97 10337->10338 10339 55730 2 API calls 10338->10339 10340 7ffcc 10339->10340 10341 73840 2 API calls 10340->10341 10359 80021 10341->10359 10342 53dc0 GetSystemTimeAsFileTime 10342->10359 10343 56660 8 API calls 10344 8074e Sleep 10343->10344 10344->10359 10346 6c250 6 API calls 10346->10359 10347 738b0 3 API calls 10347->10359 10349 7c080 13 API calls 10349->10359 10350 72950 33 API calls 10350->10359 10351 5b980 9 API calls 10351->10359 10352 75810 8 API calls 10352->10359 10353 54460 8 API calls 10353->10359 10355 55730 GetProcessHeap RtlAllocateHeap 10355->10359 10356 701b0 21 API calls 10356->10359 10357 73840 GetProcessHeap RtlFreeHeap 10357->10359 10358 65520 28 API calls 10358->10359 10359->10342 10359->10343 10359->10346 10359->10347 10359->10349 10359->10350 10359->10351 10359->10352 10359->10353 10359->10355 10359->10356 10359->10357 10359->10358 10360 797d0 10359->10360 10371 65b60 10359->10371 10377 63880 10359->10377 10361 55730 2 API calls 10360->10361 10362 79826 10361->10362 10363 55730 2 API calls 10362->10363 10364 79841 10363->10364 10384 677f0 10364->10384 10367 73840 2 API calls 10368 79877 10367->10368 10369 73840 2 API calls 10368->10369 10370 798b6 10369->10370 10370->10359 10372 65b8e 10371->10372 10373 72300 2 API calls 10372->10373 10374 65bf4 10373->10374 10375 51890 8 API calls 10374->10375 10376 65cf8 10374->10376 10375->10376 10376->10359 10379 63898 10377->10379 10378 63aa3 10378->10359 10379->10378 10380 63a31 10379->10380 10381 6398b DeleteFileA 10379->10381 10390 5bab0 10379->10390 10380->10378 10395 79bd0 10380->10395 10381->10379 10385 6781d 10384->10385 10386 55730 2 API calls 10385->10386 10387 67b66 10386->10387 10388 73840 2 API calls 10387->10388 10389 67b95 10388->10389 10389->10367 10399 7c460 10390->10399 10392 5bacd 10403 52870 10392->10403 10396 79c07 10395->10396 10397 79c9b 10396->10397 10418 51060 10396->10418 10397->10380 10400 7c478 10399->10400 10401 80850 8 API calls 10400->10401 10402 7c4b6 10401->10402 10402->10392 10404 5287e 10403->10404 10405 52890 10404->10405 10407 54e20 10404->10407 10405->10379 10410 78a40 10407->10410 10409 54e2f 10409->10405 10411 78a52 10410->10411 10414 5baf0 10411->10414 10413 78a68 10413->10409 10415 5bafb 10414->10415 10416 6cb30 8 API calls 10415->10416 10417 5bb3c 10416->10417 10417->10413 10421 74d20 10418->10421 10422 74d4b 10421->10422 10425 714f0 10422->10425 10424 5106e 10424->10397 10426 7152d 10425->10426 10427 80850 8 API calls 10426->10427 10428 715b9 10427->10428 10428->10424 11152 76d10 11153 76d4b 11152->11153 11154 52ef0 2 API calls 11153->11154 11155 76d50 11154->11155 11156 520e0 3 API calls 11155->11156 11157 76d5f 11156->11157 10545 528a0 10547 528b0 10545->10547 10546 528c2 10547->10546 10548 52a0c ReadFile 10547->10548 10549 52a31 10548->10549 10550 520a0 10551 520b7 10550->10551 10552 551d0 8 API calls 10551->10552 10553 520ce 10552->10553 10429 72420 FlushFileBuffers 10430 724a2 10429->10430 10431 72460 GetLastError 10429->10431 10432 72820 10433 72873 10432->10433 10436 567e0 10433->10436 10437 5690b 10436->10437 10438 5681a 10436->10438 10454 6c640 10437->10454 10440 56834 10438->10440 10441 568bf 10438->10441 10445 764f0 10440->10445 10443 764f0 4 API calls 10441->10443 10444 56849 10443->10444 10447 76532 10445->10447 10446 76567 10446->10444 10447->10446 10450 765c5 10447->10450 10462 66dc0 10447->10462 10449 66dc0 4 API calls 10452 76684 10449->10452 10450->10449 10450->10452 10467 67450 10452->10467 10455 6c6a0 10454->10455 10456 66dc0 4 API calls 10455->10456 10457 6c756 10455->10457 10456->10457 10458 570e0 4 API calls 10457->10458 10459 6ca18 10457->10459 10460 6c7ba 10458->10460 10459->10444 10460->10459 10461 570e0 4 API calls 10460->10461 10461->10460 10463 66df3 10462->10463 10464 66df9 10462->10464 10463->10450 10471 570e0 10464->10471 10466 66e71 10466->10450 10468 675ba 10467->10468 10469 6748f 10467->10469 10468->10444 10469->10468 10470 6c520 2 API calls 10469->10470 10470->10469 10472 57110 10471->10472 10474 57130 10471->10474 10473 66f00 2 API calls 10472->10473 10475 57127 10473->10475 10474->10466 10475->10474 10476 6c520 2 API calls 10475->10476 10476->10474 11261 677a1 11262 677aa 11261->11262 11263 55730 2 API calls 11262->11263 11264 67b66 11263->11264 11265 73840 2 API calls 11264->11265 11266 67b95 11265->11266 10477 64a29 10487 64a30 10477->10487 10478 570e0 4 API calls 10478->10487 10479 65323 10482 65395 10479->10482 10483 65389 10479->10483 10480 66dc0 4 API calls 10480->10487 10481 67450 2 API calls 10488 64be5 10481->10488 10485 67450 2 API calls 10482->10485 10484 67450 2 API calls 10483->10484 10486 65390 10484->10486 10485->10486 10487->10478 10487->10480 10487->10488 10488->10479 10488->10481 11267 77da8 11276 77db0 11267->11276 11268 7835c 11269 56660 8 API calls 11268->11269 11270 785a4 11269->11270 11271 51890 8 API calls 11271->11276 11272 78354 11273 55730 GetProcessHeap RtlAllocateHeap 11273->11276 11274 71950 5 API calls 11274->11276 11275 73840 GetProcessHeap RtlFreeHeap 11275->11276 11276->11268 11276->11271 11276->11272 11276->11273 11276->11274 11276->11275 11277 782d0 CreateThread CloseHandle 11276->11277 11277->11276 11163 5b531 11164 5b5ae RegisterServiceCtrlHandlerA 11163->11164 11166 5b696 11164->11166 11167 5b8ba 11166->11167 11168 5b702 SetServiceStatus CreateEventA SetServiceStatus 11166->11168 11169 5b7b0 WaitForSingleObject 11168->11169 11170 5b7a2 11168->11170 11169->11169 11171 5b7dd 11169->11171 11170->11169 11172 56590 WaitForSingleObject 11171->11172 11173 5b7f4 SetServiceStatus CloseHandle SetServiceStatus 11172->11173 11173->11167 10301 76d32 10302 76d4b 10301->10302 10307 52ef0 10302->10307 10306 76d5f 10314 63d60 10307->10314 10309 52f36 10310 520e0 GetStdHandle GetStdHandle 10309->10310 10311 52177 GetStdHandle 10310->10311 10312 5215b 10310->10312 10313 521bc 10311->10313 10312->10311 10313->10306 10315 63d9f GetProcessHeap HeapAlloc 10314->10315 10316 63d84 10314->10316 10315->10309 10316->10315 10489 52630 10492 551d0 10489->10492 10493 55202 10492->10493 10496 52df0 10493->10496 10495 5265b 10497 6cb30 8 API calls 10496->10497 10498 52e22 10497->10498 10498->10495 10554 6beb0 10555 6bec8 10554->10555 10560 540b0 lstrlen 10555->10560 10557 6bf13 10561 54090 10557->10561 10560->10557 10564 56670 10561->10564 10563 540aa 10565 5668f 10564->10565 10566 566f1 10565->10566 10567 566fe 10565->10567 10568 714f0 8 API calls 10566->10568 10570 566fc 10567->10570 10571 5b9e0 10567->10571 10568->10570 10570->10563 10572 5b9ff 10571->10572 10573 6cb30 8 API calls 10572->10573 10574 5ba40 10573->10574 10574->10570 11281 74db0 11282 74ddf 11281->11282 11283 7fad0 4 API calls 11282->11283 11284 74e33 11282->11284 11283->11284 11181 7e139 11182 7e140 11181->11182 11184 55730 2 API calls 11182->11184 11187 7e294 11182->11187 11183 7e637 HeapFree FreeLibrary 11185 7e2e0 11184->11185 11186 73840 2 API calls 11185->11186 11186->11187 11187->11183 11285 703b9 11286 703c0 11285->11286 11286->11286 11380 540b0 lstrlen 11286->11380 11288 704d8 11381 540b0 lstrlen 11288->11381 11290 704e6 11291 55730 2 API calls 11290->11291 11351 70b61 11290->11351 11292 705a8 11291->11292 11293 5b980 9 API calls 11292->11293 11294 705c0 11293->11294 11295 73840 2 API calls 11294->11295 11296 705d2 11295->11296 11297 70779 11296->11297 11299 55730 2 API calls 11296->11299 11298 74a90 9 API calls 11297->11298 11300 707b9 11298->11300 11301 70637 11299->11301 11302 75810 8 API calls 11300->11302 11304 575a0 9 API calls 11301->11304 11303 707c5 11302->11303 11305 55730 2 API calls 11303->11305 11306 70669 11304->11306 11307 707e6 11305->11307 11311 73840 2 API calls 11306->11311 11308 74a90 9 API calls 11307->11308 11309 70810 11308->11309 11310 75810 8 API calls 11309->11310 11312 7081c 11310->11312 11314 706aa 11311->11314 11313 73840 2 API calls 11312->11313 11315 7084e 11313->11315 11314->11297 11316 76b70 8 API calls 11314->11316 11317 74a90 9 API calls 11315->11317 11318 70712 11316->11318 11319 7086d 11317->11319 11320 55730 2 API calls 11318->11320 11321 75810 8 API calls 11319->11321 11322 7074f 11320->11322 11326 7087c 11321->11326 11323 5b980 9 API calls 11322->11323 11324 70767 11323->11324 11325 73840 2 API calls 11324->11325 11325->11297 11330 55730 2 API calls 11326->11330 11364 70a19 11326->11364 11327 55730 2 API calls 11328 70a59 11327->11328 11329 74a90 9 API calls 11328->11329 11331 70a77 11329->11331 11332 708e7 11330->11332 11333 75810 8 API calls 11331->11333 11334 74a90 9 API calls 11332->11334 11338 70a83 11333->11338 11335 70902 11334->11335 11336 75810 8 API calls 11335->11336 11337 70911 11336->11337 11340 55730 2 API calls 11337->11340 11339 73840 2 API calls 11338->11339 11341 70acb 11339->11341 11342 70932 11340->11342 11343 70b1c socket 11341->11343 11345 75810 8 API calls 11341->11345 11344 73840 2 API calls 11342->11344 11343->11351 11352 70bb0 11343->11352 11346 70993 11344->11346 11345->11343 11382 5bba0 wvsprintfA 11346->11382 11347 70c70 gethostbyname 11348 70c99 inet_ntoa inet_addr htons connect 11347->11348 11347->11351 11354 70d44 11348->11354 11359 70d6d 11348->11359 11352->11347 11353 70c45 setsockopt 11352->11353 11353->11347 11355 709d1 11356 73840 2 API calls 11355->11356 11357 709e3 11356->11357 11358 74a90 9 API calls 11357->11358 11360 70a0a 11358->11360 11361 70d93 send 11359->11361 11362 75810 8 API calls 11360->11362 11363 70daf 11361->11363 11362->11364 11365 70db3 11363->11365 11366 56660 8 API calls 11363->11366 11364->11327 11379 70deb 11366->11379 11367 70e5b recv 11368 71275 closesocket 11367->11368 11367->11379 11368->11351 11370 712ae 11368->11370 11369 52bb0 GetSystemTimeAsFileTime 11369->11379 11371 76b70 8 API calls 11370->11371 11371->11351 11372 80850 8 API calls 11372->11379 11373 51890 8 API calls 11373->11379 11374 71265 11374->11368 11375 73840 GetProcessHeap RtlFreeHeap 11375->11379 11376 776d0 9 API calls 11376->11379 11377 55730 GetProcessHeap RtlAllocateHeap 11377->11379 11378 575a0 9 API calls 11378->11379 11379->11367 11379->11368 11379->11369 11379->11372 11379->11373 11379->11374 11379->11375 11379->11376 11379->11377 11379->11378 11380->11288 11381->11290 11382->11355 9234 6b744 9235 6b7d3 9234->9235 9239 600c8 9235->9239 9446 60ae8 9235->9446 9589 73840 9239->9589 9243 6010b 9244 73840 2 API calls 9243->9244 9245 6013a 9244->9245 9246 55730 2 API calls 9245->9246 9247 60180 9246->9247 9248 73840 2 API calls 9247->9248 9249 601a9 9248->9249 9250 55730 2 API calls 9249->9250 9251 601f9 9250->9251 9252 73840 2 API calls 9251->9252 9253 60219 9252->9253 9254 55730 2 API calls 9253->9254 9255 6027a 9254->9255 9256 73840 2 API calls 9255->9256 9257 60292 9256->9257 9258 73840 2 API calls 9257->9258 9259 602d0 9258->9259 9597 6c520 9259->9597 9263 6036d 9264 55730 2 API calls 9263->9264 9265 603c5 GetEnvironmentVariableA 9264->9265 9267 73840 2 API calls 9265->9267 9268 60414 CreateMutexA CreateMutexA CreateMutexA 9267->9268 9606 56460 9268->9606 9270 604b5 9271 6060b 9270->9271 9273 6057f GetTickCount 9270->9273 9274 6056a 9270->9274 9610 62490 9271->9610 9276 60593 9273->9276 9274->9273 9275 6061a GetCommandLineA 9280 60652 9275->9280 9278 55730 2 API calls 9276->9278 9279 605a9 9278->9279 9281 73840 2 API calls 9279->9281 9282 55730 2 API calls 9280->9282 9283 605de 9281->9283 9284 606e3 9282->9284 9283->9271 9285 73840 2 API calls 9284->9285 9286 60711 9285->9286 9287 611fc GetCommandLineA 9286->9287 9288 55730 2 API calls 9286->9288 9709 6bf70 9287->9709 9291 6077b 9288->9291 9290 6121a 9712 540b0 lstrlen 9290->9712 9293 73840 2 API calls 9291->9293 9294 607ff 9293->9294 9296 60845 9294->9296 9300 72780 ExitProcess 9294->9300 9298 55730 2 API calls 9296->9298 9297 61257 GetModuleFileNameA 9713 62290 lstrlen CharLowerBuffA 9297->9713 9301 6087a 9298->9301 9300->9296 9303 73840 2 API calls 9301->9303 9302 61347 9714 62290 lstrlen CharLowerBuffA 9302->9714 9304 608ea 9303->9304 9306 60931 9304->9306 9308 72780 ExitProcess 9304->9308 9866 75860 9306->9866 9307 613cd 9715 62290 lstrlen CharLowerBuffA 9307->9715 9308->9306 9312 55730 2 API calls 9314 60972 9312->9314 9313 616fa 9716 572e0 9313->9716 9316 73840 2 API calls 9314->9316 9337 609f1 9316->9337 9317 61752 9318 6177a 9317->9318 9319 72780 ExitProcess 9317->9319 9724 7cbe0 9318->9724 9319->9318 9321 617df 9820 53dc0 9321->9820 9324 61805 9824 55f60 9324->9824 9326 61406 9326->9313 9904 67f00 9326->9904 9329 61523 9910 560a0 9329->9910 9330 60bbd Sleep 9331 5b150 5 API calls 9330->9331 9334 60bfc 9331->9334 9333 53dc0 GetSystemTimeAsFileTime 9333->9337 9334->9337 9336 616cf 9338 72780 ExitProcess 9336->9338 9337->9330 9337->9333 9340 60cd0 Sleep 9337->9340 9343 60cf4 9337->9343 9872 6c250 9337->9872 9882 5b150 9337->9882 9338->9313 9339 6156e 9339->9336 9342 55730 2 API calls 9339->9342 9340->9337 9341 6182e 9344 6192c WSAStartup 9341->9344 9345 6160a 9342->9345 9347 6c250 6 API calls 9343->9347 9352 60df4 9343->9352 9353 60d81 9343->9353 9348 61965 9344->9348 9356 619c2 9344->9356 9925 540b0 lstrlen 9345->9925 9347->9343 9350 55730 2 API calls 9348->9350 9349 6161f MessageBoxA 9351 61682 9349->9351 9354 6197b 9350->9354 9355 73840 2 API calls 9351->9355 9358 5b150 5 API calls 9352->9358 9891 71e90 9353->9891 9926 6d060 9354->9926 9359 616a3 9355->9359 9363 61a85 9356->9363 9828 724e0 9356->9828 9361 60e1c 9358->9361 9364 72780 ExitProcess 9359->9364 9360 60da0 Sleep 9360->9343 9360->9352 9366 61178 9361->9366 9367 60e9a GetModuleFileNameA SetFileAttributesA CopyFileA 9361->9367 9371 60e88 9361->9371 9372 61ab4 CloseHandle SetFileAttributesA CopyFileA 9363->9372 9373 61d89 9363->9373 9364->9336 9369 738b0 3 API calls 9366->9369 9374 55730 2 API calls 9367->9374 9368 61a22 9375 61a43 9368->9375 9379 72780 ExitProcess 9368->9379 9370 6119f 9369->9370 9382 72780 ExitProcess 9370->9382 9371->9367 9376 61cf0 9372->9376 9377 61b15 SetFileAttributesA 9372->9377 9389 61d9d 9373->9389 9378 60f2b 9374->9378 9931 63ec0 9375->9931 9861 56590 WaitForSingleObject 9376->9861 9396 61b60 9377->9396 9388 73840 2 API calls 9378->9388 9379->9375 9382->9287 9386 6c250 6 API calls 9386->9389 9390 60f61 9388->9390 9389->9386 9392 61e13 SetFileAttributesA CopyFileA 9389->9392 9397 71e90 9 API calls 9389->9397 9395 60ff1 9390->9395 9405 55730 2 API calls 9390->9405 9391 61bf1 9393 61c2c 9391->9393 9401 61c65 Sleep 9391->9401 9398 61e74 SetFileAttributesA 9392->9398 9399 61e62 9392->9399 9939 67110 9393->9939 9403 610d7 SetFileAttributesA 9395->9403 9404 61085 SetFileAttributesA 9395->9404 9396->9391 9839 68200 9396->9839 9406 61de4 Sleep 9397->9406 9400 75860 lstrlen 9398->9400 9399->9398 9408 61e97 9400->9408 9413 61cc6 9401->9413 9415 610f9 9403->9415 9404->9415 9416 60fab 9405->9416 9406->9389 9406->9392 9412 55730 2 API calls 9408->9412 9418 61ec7 9412->9418 9854 738b0 9413->9854 9415->9366 9417 73840 2 API calls 9416->9417 9417->9395 9419 55730 2 API calls 9418->9419 9420 61f1f 9419->9420 9421 73840 2 API calls 9420->9421 9422 61f36 9421->9422 9950 735c0 9422->9950 9424 61f4d 9425 73840 2 API calls 9424->9425 9426 61f6e 9425->9426 9957 7c080 9426->9957 9429 55730 2 API calls 9430 61fa9 9429->9430 9431 55730 2 API calls 9430->9431 9432 61fcd 9431->9432 9978 5bba0 wvsprintfA 9432->9978 9434 61fed 9435 73840 2 API calls 9434->9435 9436 62017 9435->9436 9437 73840 2 API calls 9436->9437 9438 62047 9437->9438 9439 738b0 3 API calls 9438->9439 9441 620a3 9439->9441 9440 62185 CreateThread 9442 621ca 9440->9442 9443 621b3 9440->9443 9441->9440 9445 621f0 Sleep 9442->9445 9979 75010 StartServiceCtrlDispatcherA 9443->9979 9445->9445 9453 60af0 9446->9453 9447 6c250 6 API calls 9447->9453 9448 5b150 5 API calls 9448->9453 9449 60bbd Sleep 9450 5b150 5 API calls 9449->9450 9452 60bfc 9450->9452 9451 53dc0 GetSystemTimeAsFileTime 9451->9453 9452->9453 9453->9447 9453->9448 9453->9449 9453->9451 9454 60cd0 Sleep 9453->9454 9455 60cf4 9453->9455 9454->9453 9456 6c250 6 API calls 9455->9456 9457 60df4 9455->9457 9458 60d81 9455->9458 9456->9455 9460 5b150 5 API calls 9457->9460 9459 71e90 9 API calls 9458->9459 9461 60da0 Sleep 9459->9461 9462 60e1c 9460->9462 9461->9455 9461->9457 9463 61178 9462->9463 9464 60e9a GetModuleFileNameA SetFileAttributesA CopyFileA 9462->9464 9467 60e88 9462->9467 9465 738b0 3 API calls 9463->9465 9468 55730 2 API calls 9464->9468 9466 6119f 9465->9466 9470 72780 ExitProcess 9466->9470 9467->9464 9469 60f2b 9468->9469 9473 73840 2 API calls 9469->9473 9471 611fc GetCommandLineA 9470->9471 9472 6bf70 lstrlen 9471->9472 9474 6121a 9472->9474 9475 60f61 9473->9475 10294 540b0 lstrlen 9474->10294 9476 60ff1 9475->9476 9479 55730 2 API calls 9475->9479 9477 610d7 SetFileAttributesA 9476->9477 9478 61085 SetFileAttributesA 9476->9478 9483 610f9 9477->9483 9478->9483 9484 60fab 9479->9484 9483->9463 9485 73840 2 API calls 9484->9485 9485->9476 9486 61257 GetModuleFileNameA 10295 62290 lstrlen CharLowerBuffA 9486->10295 9488 61347 10296 62290 lstrlen CharLowerBuffA 9488->10296 9490 613cd 10297 62290 lstrlen CharLowerBuffA 9490->10297 9492 616fa 9493 572e0 6 API calls 9492->9493 9494 61752 9493->9494 9495 6177a 9494->9495 9496 72780 ExitProcess 9494->9496 9497 7cbe0 28 API calls 9495->9497 9496->9495 9498 617df 9497->9498 9499 53dc0 GetSystemTimeAsFileTime 9498->9499 9500 61805 9499->9500 9501 55f60 lstrlen 9500->9501 9510 6182e 9501->9510 9502 61406 9502->9492 9503 67f00 16 API calls 9502->9503 9504 61523 9503->9504 9506 560a0 10 API calls 9504->9506 9509 6156e 9506->9509 9507 616cf 9508 72780 ExitProcess 9507->9508 9508->9492 9509->9507 9511 55730 2 API calls 9509->9511 9512 6192c WSAStartup 9510->9512 9513 6160a 9511->9513 9515 61965 9512->9515 9521 619c2 9512->9521 10298 540b0 lstrlen 9513->10298 9517 55730 2 API calls 9515->9517 9516 6161f MessageBoxA 9518 61682 9516->9518 9519 6197b 9517->9519 9520 73840 2 API calls 9518->9520 9524 6d060 2 API calls 9519->9524 9522 616a3 9520->9522 9523 61a85 9521->9523 9526 724e0 15 API calls 9521->9526 9525 72780 ExitProcess 9522->9525 9528 61ab4 CloseHandle SetFileAttributesA CopyFileA 9523->9528 9529 61d89 9523->9529 9524->9521 9525->9507 9527 61a22 9526->9527 9530 61a43 9527->9530 9533 72780 ExitProcess 9527->9533 9531 61cf0 9528->9531 9532 61b15 SetFileAttributesA 9528->9532 9541 61d9d 9529->9541 9536 63ec0 2 API calls 9530->9536 9537 56590 WaitForSingleObject 9531->9537 9546 61b60 9532->9546 9533->9530 9540 61a73 9536->9540 9538 61d49 9537->9538 9545 72780 ExitProcess 9538->9545 9539 6c250 6 API calls 9539->9541 9540->9523 9541->9539 9543 61e13 SetFileAttributesA CopyFileA 9541->9543 9547 71e90 9 API calls 9541->9547 9542 61bf1 9544 61c2c 9542->9544 9551 61c65 Sleep 9542->9551 9548 61e74 SetFileAttributesA 9543->9548 9549 61e62 9543->9549 9552 67110 8 API calls 9544->9552 9545->9529 9546->9542 9554 68200 9 API calls 9546->9554 9553 61de4 Sleep 9547->9553 9550 75860 lstrlen 9548->9550 9549->9548 9555 61e97 9550->9555 9559 61cc6 9551->9559 9556 61c4e 9552->9556 9553->9541 9553->9543 9554->9542 9558 55730 2 API calls 9555->9558 9556->9551 9561 61ec7 9558->9561 9560 738b0 3 API calls 9559->9560 9560->9531 9562 55730 2 API calls 9561->9562 9563 61f1f 9562->9563 9564 73840 2 API calls 9563->9564 9565 61f36 9564->9565 9566 735c0 3 API calls 9565->9566 9567 61f4d 9566->9567 9568 73840 2 API calls 9567->9568 9569 61f6e 9568->9569 9570 7c080 13 API calls 9569->9570 9571 61f93 9570->9571 9572 55730 2 API calls 9571->9572 9573 61fa9 9572->9573 9574 55730 2 API calls 9573->9574 9575 61fcd 9574->9575 10299 5bba0 wvsprintfA 9575->10299 9577 61fed 9578 73840 2 API calls 9577->9578 9579 62017 9578->9579 9580 73840 2 API calls 9579->9580 9581 62047 9580->9581 9582 738b0 3 API calls 9581->9582 9584 620a3 9582->9584 9583 62185 CreateThread 9585 621ca 9583->9585 9586 621b3 9583->9586 9584->9583 9588 621f0 Sleep 9585->9588 10300 75010 StartServiceCtrlDispatcherA 9586->10300 9588->9588 9590 73863 9589->9590 9591 6c520 2 API calls 9590->9591 9592 600d0 9591->9592 9593 55730 9592->9593 9594 55776 9593->9594 9980 66f00 9594->9980 9596 5580a 9596->9243 9598 6c543 GetProcessHeap RtlFreeHeap 9597->9598 9599 6c52f 9597->9599 9600 6031a 9598->9600 9599->9598 9601 799b0 GetSystemTime 9600->9601 9602 79a49 9601->9602 9603 53dc0 GetSystemTimeAsFileTime 9602->9603 9604 79b45 GetTickCount 9603->9604 9605 79b83 9604->9605 9605->9263 9607 80bf0 9606->9607 9608 66f00 2 API calls 9607->9608 9609 80c06 9608->9609 9609->9270 9612 624c4 9610->9612 9611 62505 GetVersionExA 9983 7c640 9611->9983 9612->9611 9617 55730 2 API calls 9619 6279f 9617->9619 10006 5b980 9619->10006 9622 6262c 9624 626c7 CreateDirectoryA 9622->9624 9623 73840 2 API calls 9627 627eb 9623->9627 9625 55730 2 API calls 9624->9625 9626 62711 9625->9626 9628 73840 2 API calls 9626->9628 10009 73060 9627->10009 9630 6273f 9628->9630 9630->9617 9631 62818 9632 62823 DeleteFileA RemoveDirectoryA 9631->9632 9633 628bc 9631->9633 9632->9633 9634 68090 6 API calls 9633->9634 9635 628e8 9634->9635 9636 6291f CreateDirectoryA 9635->9636 9637 6296a 9636->9637 9638 75860 lstrlen 9637->9638 9639 629cb CreateDirectoryA 9638->9639 9640 55730 2 API calls 9639->9640 9641 62a0b 9640->9641 9642 55730 2 API calls 9641->9642 9643 62a44 9642->9643 9644 73840 2 API calls 9643->9644 9645 62a60 9644->9645 9646 5b980 9 API calls 9645->9646 9647 62a7c 9646->9647 9648 73840 2 API calls 9647->9648 9649 62a96 9648->9649 9650 73060 5 API calls 9649->9650 9651 62ad4 9650->9651 9652 63405 9651->9652 9653 62b54 9651->9653 9654 62af2 9651->9654 9658 75860 lstrlen 9652->9658 9656 55730 2 API calls 9653->9656 9655 55730 2 API calls 9654->9655 9657 62b08 9655->9657 9659 62b71 9656->9659 10028 5bba0 wvsprintfA 9657->10028 9661 63437 SetFileAttributesA 9658->9661 10029 5bba0 wvsprintfA 9659->10029 9669 6346e 9661->9669 9662 62b28 9664 73840 2 API calls 9662->9664 9666 62b3a 9664->9666 9665 62bde 9667 73840 2 API calls 9665->9667 9668 62c60 9666->9668 9667->9666 9670 62c7c CreateDirectoryA 9668->9670 9669->9275 9671 62cd3 9670->9671 9672 75860 lstrlen 9671->9672 9673 62d51 CreateDirectoryA 9672->9673 9674 55730 2 API calls 9673->9674 9675 62d99 9674->9675 9676 55730 2 API calls 9675->9676 9677 62de9 9676->9677 9678 73840 2 API calls 9677->9678 9679 62dfd 9678->9679 9680 5b980 9 API calls 9679->9680 9681 62e13 9680->9681 9682 73840 2 API calls 9681->9682 9683 62e36 9682->9683 9684 73060 5 API calls 9683->9684 9685 62e8f 9684->9685 9686 62e9a GetTempPathA 9685->9686 9708 63327 9685->9708 10030 540b0 lstrlen 9686->10030 9688 62edc 9689 75860 lstrlen 9688->9689 9690 63052 CreateDirectoryA 9689->9690 9691 55730 2 API calls 9690->9691 9692 63097 9691->9692 9693 55730 2 API calls 9692->9693 9694 630fc 9693->9694 9695 73840 2 API calls 9694->9695 9696 63141 9695->9696 9697 5b980 9 API calls 9696->9697 9698 63171 9697->9698 9699 73840 2 API calls 9698->9699 9700 6319c 9699->9700 9701 73060 5 API calls 9700->9701 9702 631c9 9701->9702 9703 631d4 GetTempPathA 9702->9703 9702->9708 9704 63226 9703->9704 9705 55730 2 API calls 9704->9705 9706 632b1 9705->9706 9707 73840 2 API calls 9706->9707 9707->9708 9708->9652 10066 540b0 lstrlen 9709->10066 9711 6bfcb 9711->9290 9712->9297 9713->9302 9714->9307 9715->9326 9717 75860 lstrlen 9716->9717 9718 57353 9717->9718 9719 55730 2 API calls 9718->9719 9720 57387 9719->9720 9721 73840 2 API calls 9720->9721 9722 5742f CreateFileA 9721->9722 9723 5747b 9722->9723 9723->9317 9725 7cc70 9724->9725 9726 56460 2 API calls 9725->9726 9727 7ccd6 9726->9727 9728 7cd3a GetComputerNameA 9727->9728 9729 7ce1e 9728->9729 9730 7cd55 9728->9730 9731 55730 2 API calls 9729->9731 9732 55730 2 API calls 9730->9732 9733 7cefb 9731->9733 9734 7cd6b 9732->9734 9735 73840 2 API calls 9733->9735 9736 73840 2 API calls 9734->9736 9737 7cf70 9735->9737 9736->9729 9738 5b980 9 API calls 9737->9738 9739 7cf8c 9738->9739 10067 54460 9739->10067 9741 7cfaa 10070 7db50 9741->10070 9743 7d075 10108 540b0 lstrlen 9743->10108 9745 7d094 10109 74a90 9745->10109 9749 7d101 9750 54460 8 API calls 9749->9750 9751 7d132 9750->9751 9752 74a90 9 API calls 9751->9752 9753 7d16a 9752->9753 9754 75810 8 API calls 9753->9754 9755 7d179 9754->9755 9756 54460 8 API calls 9755->9756 9757 7d1d2 9756->9757 9758 74a90 9 API calls 9757->9758 9759 7d1f7 9758->9759 9760 75810 8 API calls 9759->9760 9761 7d206 9760->9761 9762 54460 8 API calls 9761->9762 9763 7d22d 9762->9763 9764 74a90 9 API calls 9763->9764 9765 7d26f 9764->9765 9766 75810 8 API calls 9765->9766 9767 7d27b 9766->9767 9768 54460 8 API calls 9767->9768 9769 7d297 9768->9769 9770 74a90 9 API calls 9769->9770 9771 7d2dc 9770->9771 9772 75810 8 API calls 9771->9772 9773 7d2eb 9772->9773 9774 54460 8 API calls 9773->9774 9775 7d30a 9774->9775 9776 55730 2 API calls 9775->9776 9777 7d32a 9776->9777 9778 74a90 9 API calls 9777->9778 9779 7d345 9778->9779 9780 75810 8 API calls 9779->9780 9781 7d354 9780->9781 9782 73840 2 API calls 9781->9782 9783 7d381 9782->9783 9784 54460 8 API calls 9783->9784 9785 7d3a2 9784->9785 9786 74a90 9 API calls 9785->9786 9787 7d3cf 9786->9787 9788 75810 8 API calls 9787->9788 9789 7d3db 9788->9789 9790 54460 8 API calls 9789->9790 9791 7d3fd 9790->9791 9792 74a90 9 API calls 9791->9792 9793 7d42a 9792->9793 9794 75810 8 API calls 9793->9794 9795 7d439 9794->9795 9796 54460 8 API calls 9795->9796 9797 7d46e 9796->9797 10116 74c30 9797->10116 9801 7d4e7 9802 74a90 9 API calls 9801->9802 9803 7d4f3 9802->9803 9804 75810 8 API calls 9803->9804 9805 7d502 9804->9805 9806 54460 8 API calls 9805->9806 9807 7d523 9806->9807 9808 74a90 9 API calls 9807->9808 9809 7d56f 9808->9809 9810 75810 8 API calls 9809->9810 9811 7d57e 9810->9811 10126 78ba0 9811->10126 9813 7d5c0 10152 56660 9813->10152 9815 7d5dd 10155 51890 9815->10155 9817 7d622 10159 53a00 9817->10159 9819 7d666 9819->9321 9821 53e2d GetSystemTimeAsFileTime 9820->9821 9822 53df8 9820->9822 9823 53e79 __aulldiv 9821->9823 9822->9821 9823->9324 9825 55fb1 9824->9825 10219 540b0 lstrlen 9825->10219 9827 55fce 9827->9341 9829 72500 9828->9829 9830 75860 lstrlen 9829->9830 9831 72589 9830->9831 9832 55730 2 API calls 9831->9832 9833 7259a 9831->9833 9834 7260b 9832->9834 9833->9368 9835 73840 2 API calls 9834->9835 9836 72665 9835->9836 10220 7e880 9836->10220 9838 7268c 9838->9368 9840 68243 OpenSCManagerA 9839->9840 9841 68218 9839->9841 9842 68293 CreateServiceA 9840->9842 9851 684af 9840->9851 9841->9840 9843 682e0 ChangeServiceConfig2A StartServiceA CloseServiceHandle 9842->9843 9844 6835b 9842->9844 9845 68463 CloseServiceHandle 9843->9845 9846 68381 OpenServiceA 9844->9846 9847 6836f 9844->9847 9845->9851 9849 683a5 StartServiceA 9846->9849 9850 6841f 9846->9850 9847->9846 9852 68407 CloseServiceHandle 9849->9852 9853 683ef 9849->9853 9850->9845 9851->9391 9852->9850 9853->9852 9855 738d4 9854->9855 9856 739b5 CreateProcessA 9855->9856 9857 73a64 9856->9857 9858 73a1a 9856->9858 9857->9376 9859 73a26 9858->9859 9860 73a3a CloseHandle CloseHandle 9858->9860 9859->9860 9860->9857 9862 565cc 9861->9862 9863 72780 9862->9863 10237 5ad30 9863->10237 9865 72798 ExitProcess 9867 75879 9866->9867 9868 55f60 lstrlen 9867->9868 9869 758ab 9868->9869 9870 6095c 9869->9870 10239 540b0 lstrlen 9869->10239 9870->9312 9873 6c270 CreateToolhelp32Snapshot 9872->9873 9875 6c4e5 9873->9875 9876 6c32c Process32First 9873->9876 9875->9337 9877 6c4ca CloseHandle 9876->9877 9879 6c387 9876->9879 9877->9875 9880 6c4a2 9879->9880 9881 6c441 Process32Next 9879->9881 10240 62290 lstrlen CharLowerBuffA 9879->10240 9880->9877 9881->9879 9881->9880 9883 5b1a9 9882->9883 9884 5b1bb CreateFileA 9882->9884 9883->9884 9885 5b21c GetFileTime 9884->9885 9886 5b1fe 9884->9886 9887 5b284 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 9885->9887 9888 5b260 CloseHandle 9885->9888 9886->9337 9889 5b2ec GetFileSize CloseHandle 9887->9889 9888->9337 9890 5b34c 9889->9890 9890->9337 9892 71f1c CreateToolhelp32Snapshot 9891->9892 9894 71f7f 9892->9894 9895 71fd4 Process32First 9894->9895 9897 7228b 9894->9897 9896 72255 CloseHandle 9895->9896 9898 71ff4 9895->9898 9896->9897 9897->9360 9900 721e9 Process32Next 9898->9900 9901 72098 OpenProcess 9898->9901 9902 7210a TerminateProcess 9898->9902 9903 7217a CloseHandle 9898->9903 10241 62290 lstrlen CharLowerBuffA 9898->10241 9900->9896 9900->9898 9901->9898 9902->9898 9902->9903 9903->9898 9905 67f27 9904->9905 10242 7a760 9905->10242 9907 67f5b 9908 738b0 3 API calls 9907->9908 9909 67f73 9908->9909 9909->9329 9911 563c4 9910->9911 9912 560d3 9910->9912 9911->9339 10280 540b0 lstrlen 9912->10280 9914 56175 Sleep 9915 561cd 9914->9915 9916 55730 2 API calls 9915->9916 9917 561ff 9916->9917 9918 73840 2 API calls 9917->9918 9919 5622a FindFirstFileA 9918->9919 9919->9911 9921 5628f 9919->9921 9922 5631e DeleteFileA 9921->9922 9923 56379 FindNextFileA 9921->9923 9922->9921 9923->9921 9924 56392 FindClose 9923->9924 9924->9911 9925->9349 9927 56590 WaitForSingleObject 9926->9927 9928 6d07c 9927->9928 9929 72780 ExitProcess 9928->9929 9930 6d0b9 9929->9930 9932 53dc0 GetSystemTimeAsFileTime 9931->9932 9933 63f0c 9932->9933 9934 61a73 9933->9934 9935 53dc0 GetSystemTimeAsFileTime 9933->9935 9934->9363 9936 63f61 9935->9936 9936->9934 9937 63fbd Sleep 9936->9937 9938 53dc0 GetSystemTimeAsFileTime 9937->9938 9938->9936 9940 67163 9939->9940 9941 55730 2 API calls 9940->9941 9942 671fd RegOpenKeyA 9941->9942 9943 6723a 9942->9943 9944 73840 2 API calls 9943->9944 9947 67263 9944->9947 9945 672f0 RegCloseKey 9946 61c4e 9945->9946 9946->9401 9947->9945 10281 540b0 lstrlen 9947->10281 9949 672cc RegSetValueExA 9949->9945 9952 735ef 9950->9952 9951 7371c CreateFileA 9953 7377b 9951->9953 9954 7376a 9951->9954 9952->9951 9955 56460 2 API calls 9953->9955 9954->9424 9956 737ac 9955->9956 9956->9424 9958 7c097 9957->9958 9959 7c13a 9958->9959 9960 77040 9 API calls 9958->9960 9961 55730 2 API calls 9959->9961 9960->9959 9962 7c16b 9961->9962 9963 735c0 3 API calls 9962->9963 9964 7c181 9963->9964 9965 73840 2 API calls 9964->9965 9966 7c195 9965->9966 9967 7c1aa Sleep 9966->9967 9977 7c261 9966->9977 9968 55730 2 API calls 9967->9968 9970 7c1e5 9968->9970 9969 61f93 9969->9429 9973 735c0 3 API calls 9970->9973 9972 7c2c1 10286 7e790 CloseHandle 9972->10286 9975 7c245 9973->9975 9976 73840 2 API calls 9975->9976 9976->9977 9977->9969 10282 55230 9977->10282 9978->9434 9979->9442 9981 66f43 GetProcessHeap RtlAllocateHeap 9980->9981 9982 66f14 9980->9982 9981->9596 9982->9981 9984 7c652 AllocateAndInitializeSid 9983->9984 9986 7c724 CheckTokenMembership 9984->9986 9989 62591 9984->9989 9987 7c741 9986->9987 9988 7c77a FreeSid 9986->9988 9987->9988 9988->9989 9990 6d0d0 9989->9990 9991 6d0f1 9990->9991 9992 55730 2 API calls 9991->9992 9993 6d179 GetProcAddress 9992->9993 9994 73840 2 API calls 9993->9994 9997 6d1c9 9994->9997 9995 625b3 9995->9630 9998 68090 GetWindowsDirectoryA 9995->9998 9996 6d26b GetCurrentProcess 9996->9995 9997->9995 9997->9996 9999 680d8 9998->9999 10000 6818b 9999->10000 10001 55730 2 API calls 9999->10001 10000->9622 10002 68133 10001->10002 10003 73840 2 API calls 10002->10003 10004 6816b 10003->10004 10031 540b0 lstrlen 10004->10031 10032 6cbc0 10006->10032 10010 7306d 10009->10010 10011 56590 WaitForSingleObject 10010->10011 10012 7318d 10011->10012 10013 73205 10012->10013 10014 73253 CreateFileA 10012->10014 10064 55070 ReleaseMutex 10013->10064 10016 7329c 10014->10016 10018 732b4 10016->10018 10021 73311 10016->10021 10019 55070 ReleaseMutex 10018->10019 10020 732d3 10019->10020 10020->9631 10022 7341f WriteFile 10021->10022 10022->10021 10023 73493 CloseHandle 10022->10023 10025 7350c 10023->10025 10026 55070 ReleaseMutex 10025->10026 10027 73532 10026->10027 10027->9631 10028->9662 10029->9665 10030->9688 10031->10000 10033 6cbe0 10032->10033 10038 540b0 lstrlen 10033->10038 10035 6cc38 10039 63500 10035->10039 10037 5b999 10037->9623 10038->10035 10040 63535 10039->10040 10043 66fe0 10040->10043 10042 63553 10042->10037 10044 66ffe 10043->10044 10046 6701e 10044->10046 10048 6cb30 10044->10048 10046->10042 10047 67053 10047->10042 10049 6cb4d 10048->10049 10050 6cb74 10049->10050 10052 80850 10049->10052 10050->10047 10053 80863 10052->10053 10054 80a76 10053->10054 10055 80976 10053->10055 10060 80a4e 10053->10060 10061 7fad0 10054->10061 10057 66f00 2 API calls 10055->10057 10058 80994 10057->10058 10059 6c520 2 API calls 10058->10059 10059->10060 10060->10050 10062 7fb06 GetProcessHeap HeapAlloc 10061->10062 10063 7fae4 GetProcessHeap RtlReAllocateHeap 10061->10063 10062->10060 10063->10060 10065 550a2 10064->10065 10065->9631 10066->9711 10068 51890 8 API calls 10067->10068 10069 5447b 10068->10069 10069->9741 10071 7dbe3 10070->10071 10072 55730 2 API calls 10071->10072 10073 7dc8b 10072->10073 10074 73840 2 API calls 10073->10074 10075 7dcbc GetProcessHeap 10074->10075 10077 7dd41 10075->10077 10078 7dd5f 10075->10078 10077->9743 10079 55730 2 API calls 10078->10079 10080 7dd86 LoadLibraryA 10079->10080 10082 73840 2 API calls 10080->10082 10083 7ddd8 10082->10083 10084 7dde9 10083->10084 10085 55730 2 API calls 10083->10085 10084->9743 10086 7de42 GetProcAddress 10085->10086 10087 7de75 10086->10087 10088 73840 2 API calls 10087->10088 10089 7de87 10088->10089 10090 7ded7 HeapAlloc 10089->10090 10091 7deab FreeLibrary 10089->10091 10092 7df52 GetAdaptersInfo 10090->10092 10093 7df2b FreeLibrary 10090->10093 10091->9743 10094 7dfa6 HeapFree HeapAlloc 10092->10094 10095 7e074 GetAdaptersInfo 10092->10095 10093->9743 10097 7e027 FreeLibrary 10094->10097 10098 7e06a 10094->10098 10096 7e097 10095->10096 10107 7e294 10095->10107 10099 55730 2 API calls 10096->10099 10097->9743 10098->10095 10101 7e0c0 10099->10101 10100 7e637 HeapFree FreeLibrary 10100->9743 10102 73840 2 API calls 10101->10102 10103 7e0e8 10102->10103 10104 55730 2 API calls 10103->10104 10103->10107 10105 7e2e0 10104->10105 10106 73840 2 API calls 10105->10106 10106->10107 10107->10100 10108->9745 10166 575a0 10109->10166 10112 75810 10113 75830 10112->10113 10114 51890 8 API calls 10113->10114 10115 7583e 10114->10115 10115->9749 10117 74c55 10116->10117 10118 55730 2 API calls 10117->10118 10119 74cb8 10118->10119 10120 73840 2 API calls 10119->10120 10121 74ce3 10120->10121 10122 6ccf0 10121->10122 10123 6cd1f 10122->10123 10173 540b0 lstrlen 10123->10173 10125 6cd6e 10125->9801 10127 55730 2 API calls 10126->10127 10128 78c2e 10127->10128 10129 55730 2 API calls 10128->10129 10130 78c48 10129->10130 10131 55730 2 API calls 10130->10131 10132 78ca0 10131->10132 10133 73840 2 API calls 10132->10133 10134 78cc2 10133->10134 10135 55730 2 API calls 10134->10135 10136 78cfe 10135->10136 10137 73840 2 API calls 10136->10137 10138 78d7f 10137->10138 10139 73840 2 API calls 10138->10139 10145 78dba 10139->10145 10140 7969c 10141 73840 2 API calls 10140->10141 10143 79705 10141->10143 10143->9813 10144 738a0 9 API calls 10144->10145 10145->10144 10151 791c9 10145->10151 10174 55f40 10145->10174 10146 55f40 8 API calls 10146->10151 10147 55f40 8 API calls 10149 795b0 10147->10149 10149->10140 10149->10147 10177 738a0 10149->10177 10150 738a0 9 API calls 10150->10151 10151->10140 10151->10146 10151->10149 10151->10150 10153 66fe0 8 API calls 10152->10153 10154 56667 10153->10154 10154->9815 10156 518b6 10155->10156 10157 66fe0 8 API calls 10156->10157 10158 518c1 10157->10158 10158->9817 10188 67330 10159->10188 10161 53a17 10193 72300 10161->10193 10163 53a58 10164 51890 8 API calls 10163->10164 10165 53af6 10163->10165 10164->10165 10165->9819 10167 575ac 10166->10167 10172 540b0 lstrlen 10167->10172 10169 575f8 10170 63500 8 API calls 10169->10170 10171 57604 10170->10171 10171->10112 10172->10169 10173->10125 10183 7f640 10174->10183 10176 55f4e 10176->10145 10178 7c550 10177->10178 10187 540b0 lstrlen 10178->10187 10180 7c5e0 10181 51890 8 API calls 10180->10181 10182 7c5ec 10181->10182 10182->10149 10184 7f672 10183->10184 10185 66fe0 8 API calls 10184->10185 10186 7f67d 10185->10186 10186->10176 10187->10180 10197 52cc0 10188->10197 10190 673ac 10190->10161 10191 67342 10191->10190 10201 77040 10191->10201 10194 80bf0 10193->10194 10195 66f00 2 API calls 10194->10195 10196 80c06 10195->10196 10196->10163 10198 52d1d 10197->10198 10199 52cd3 10197->10199 10198->10191 10200 56660 8 API calls 10199->10200 10200->10198 10202 7708f 10201->10202 10203 56590 WaitForSingleObject 10202->10203 10204 771b9 10203->10204 10205 55730 2 API calls 10204->10205 10218 772af 10204->10218 10207 771ea GetProcAddress 10205->10207 10206 773a0 CryptGenRandom 10214 773b7 10206->10214 10210 55730 2 API calls 10207->10210 10209 55070 ReleaseMutex 10211 77485 10209->10211 10212 77246 10210->10212 10211->10191 10213 73840 2 API calls 10212->10213 10215 77260 GetProcAddress 10213->10215 10214->10209 10216 7728b 10215->10216 10217 73840 2 API calls 10216->10217 10217->10218 10218->10206 10218->10214 10219->9827 10221 7e88d 10220->10221 10222 56660 8 API calls 10221->10222 10223 7e91b 10222->10223 10224 56590 WaitForSingleObject 10223->10224 10225 7e940 CreateFileA 10224->10225 10226 7e97c 10225->10226 10232 7e996 10225->10232 10228 55070 ReleaseMutex 10226->10228 10227 7e9b0 ReadFile 10227->10232 10229 7eb8f 10228->10229 10229->9838 10230 80850 8 API calls 10230->10232 10231 7eb56 CloseHandle 10231->10226 10232->10227 10232->10230 10232->10231 10233 51890 8 API calls 10232->10233 10234 7eac6 CloseHandle 10232->10234 10233->10232 10235 55070 ReleaseMutex 10234->10235 10236 7eaf9 10235->10236 10236->9838 10238 5ad43 10237->10238 10238->9865 10239->9870 10240->9879 10241->9898 10243 72300 2 API calls 10242->10243 10244 7a7c2 CreateFileA 10243->10244 10245 7a81d ReadFile 10244->10245 10264 7aafe 10244->10264 10247 7a884 CloseHandle 10245->10247 10248 7a85f 10245->10248 10270 73570 10247->10270 10248->10247 10250 7a8ab GetTickCount 10272 7c870 10250->10272 10252 7a8c5 10276 540b0 lstrlen 10252->10276 10254 7a8d5 10255 55730 2 API calls 10254->10255 10256 7a964 10255->10256 10257 73840 2 API calls 10256->10257 10258 7a994 10257->10258 10259 7aa30 CreateFileA 10258->10259 10261 55730 2 API calls 10258->10261 10262 7aaaf WriteFile CloseHandle 10259->10262 10259->10264 10263 7a9c8 10261->10263 10262->10264 10277 540b0 lstrlen 10263->10277 10264->9907 10266 7aa0b 10278 5bba0 wvsprintfA 10266->10278 10268 7aa16 10269 73840 2 API calls 10268->10269 10269->10259 10271 73593 10270->10271 10271->10250 10273 7c884 10272->10273 10279 540b0 lstrlen 10273->10279 10275 7c8c2 10275->10252 10276->10254 10277->10266 10278->10268 10279->10275 10280->9914 10281->9949 10283 55251 10282->10283 10284 55297 10283->10284 10285 5534e WriteFile 10283->10285 10284->9972 10285->9972 10287 7e7bf 10286->10287 10290 51fc0 10287->10290 10291 55f20 10290->10291 10292 55f30 10291->10292 10293 6c520 2 API calls 10291->10293 10292->9969 10293->10292 10294->9486 10295->9488 10296->9490 10297->9502 10298->9516 10299->9577 10300->9585 10575 524c6 ExitProcess 10499 53c40 10502 55f00 10499->10502 10505 72320 10502->10505 10504 53c4f 10506 7232e 10505->10506 10509 540b0 lstrlen 10506->10509 10508 7233a 10508->10504 10509->10508 11383 519c0 11384 519ed 11383->11384 11385 55730 2 API calls 11384->11385 11386 51a44 11385->11386 11437 5bba0 wvsprintfA 11386->11437 11388 51a77 11389 73840 2 API calls 11388->11389 11390 51a89 11389->11390 11391 738a0 9 API calls 11390->11391 11392 51ac4 11391->11392 11393 738a0 9 API calls 11392->11393 11394 51b37 11393->11394 11395 55f40 8 API calls 11394->11395 11396 51b4b 11395->11396 11397 55f40 8 API calls 11396->11397 11398 51b97 11397->11398 11438 7b7f0 11398->11438 11400 51baa 11462 7a050 OpenSCManagerA 11400->11462 11402 51bd4 11403 78ba0 9 API calls 11402->11403 11404 51c03 11403->11404 11486 636f0 11404->11486 11406 51c16 11407 55730 2 API calls 11406->11407 11408 51c4f 11407->11408 11409 5b980 9 API calls 11408->11409 11410 51c71 11409->11410 11411 73840 2 API calls 11410->11411 11412 51c83 11411->11412 11413 65b60 8 API calls 11412->11413 11414 51ccd 11413->11414 11415 75810 8 API calls 11414->11415 11416 51cd6 11415->11416 11417 55730 2 API calls 11416->11417 11418 51cfa 11417->11418 11419 74a90 9 API calls 11418->11419 11420 51d5b 11419->11420 11421 75810 8 API calls 11420->11421 11422 51d67 11421->11422 11423 73840 2 API calls 11422->11423 11424 51d99 11423->11424 11425 51890 8 API calls 11424->11425 11426 51df7 11425->11426 11427 636f0 8 API calls 11426->11427 11428 51e3b 11427->11428 11429 797d0 4 API calls 11428->11429 11430 51e7a 11429->11430 11431 55730 2 API calls 11430->11431 11432 51e90 11431->11432 11433 701b0 21 API calls 11432->11433 11434 51ebb 11433->11434 11435 73840 2 API calls 11434->11435 11436 51f03 11435->11436 11437->11388 11439 7b82f CreateToolhelp32Snapshot 11438->11439 11441 7ba05 Process32First 11439->11441 11442 7b92c 11439->11442 11456 7babb 11441->11456 11444 55730 2 API calls 11442->11444 11446 7b953 11444->11446 11445 7be7e CloseHandle 11445->11400 11447 738a0 9 API calls 11446->11447 11448 7b977 11447->11448 11452 73840 2 API calls 11448->11452 11450 7bc51 CreateToolhelp32Snapshot 11450->11456 11451 55730 GetProcessHeap RtlAllocateHeap 11451->11456 11453 7b9e6 11452->11453 11453->11400 11454 7bcde Module32First 11454->11456 11456->11445 11456->11450 11456->11451 11456->11454 11457 73840 GetProcessHeap RtlFreeHeap 11456->11457 11458 55f40 8 API calls 11456->11458 11459 738a0 9 API calls 11456->11459 11461 7be76 11456->11461 11490 540b0 lstrlen 11456->11490 11491 5bba0 wvsprintfA 11456->11491 11457->11456 11460 7bdfd CloseHandle Process32Next 11458->11460 11459->11456 11460->11456 11461->11445 11463 7a141 EnumServicesStatusA GetLastError 11462->11463 11464 7a480 11462->11464 11465 7a196 11463->11465 11466 55730 2 API calls 11464->11466 11469 7a464 11465->11469 11470 66f00 2 API calls 11465->11470 11467 7a496 11466->11467 11468 738a0 9 API calls 11467->11468 11471 7a4b0 11468->11471 11469->11402 11472 7a1f4 11470->11472 11473 73840 2 API calls 11471->11473 11475 7a441 CloseServiceHandle 11472->11475 11476 7a22a EnumServicesStatusA 11472->11476 11474 7a4df 11473->11474 11474->11402 11475->11469 11477 7a26e 11476->11477 11480 540b0 lstrlen 11477->11480 11481 7a41e 11477->11481 11482 55730 2 API calls 11477->11482 11484 73840 2 API calls 11477->11484 11485 738a0 9 API calls 11477->11485 11492 5bba0 wvsprintfA 11477->11492 11478 6c520 2 API calls 11479 7a434 11478->11479 11479->11475 11480->11477 11481->11478 11482->11477 11484->11477 11485->11477 11487 6370b 11486->11487 11488 56660 8 API calls 11487->11488 11489 6386c 11488->11489 11489->11406 11490->11456 11491->11456 11492->11477 11493 53fc0 11494 5b9e0 8 API calls 11493->11494 11495 53fe7 11494->11495 10576 6d2c0 10580 6d2f0 10576->10580 10577 6d33d 10578 540b0 lstrlen 10578->10580 10579 5bba0 wvsprintfA 10579->10580 10580->10577 10580->10578 10580->10579 10589 73ac0 10592 75f40 10589->10592 10595 75070 10592->10595 10594 73acf 10598 540b0 lstrlen 10595->10598 10597 75080 10597->10594 10598->10597 11504 7edc0 11505 54e20 8 API calls 11504->11505 11506 7eddf 11505->11506 11507 75810 8 API calls 11506->11507 11508 7edf4 11507->11508 11509 78dd6 11513 78de0 11509->11513 11510 791c9 11516 7969c 11510->11516 11517 55f40 8 API calls 11510->11517 11520 795b0 11510->11520 11521 738a0 9 API calls 11510->11521 11511 73840 2 API calls 11515 79705 11511->11515 11512 55f40 8 API calls 11512->11513 11513->11510 11513->11512 11514 738a0 9 API calls 11513->11514 11514->11513 11516->11511 11517->11510 11518 55f40 8 API calls 11518->11520 11519 738a0 9 API calls 11519->11520 11520->11516 11520->11518 11520->11519 11521->11510 11522 52dd0 11525 7fb30 11522->11525 11526 75070 lstrlen 11525->11526 11527 52ddf 11526->11527 11188 6cf50 11193 52da0 11188->11193 11202 77620 11193->11202 11203 77645 11202->11203 11204 52cc0 8 API calls 11203->11204 11205 77660 11204->11205 10602 7badc 10606 7bae0 10602->10606 10604 7bc51 CreateToolhelp32Snapshot 10604->10606 10605 7bcde Module32First 10605->10606 10606->10604 10606->10605 10607 55730 GetProcessHeap RtlAllocateHeap 10606->10607 10608 738a0 9 API calls 10606->10608 10610 73840 GetProcessHeap RtlFreeHeap 10606->10610 10611 55f40 8 API calls 10606->10611 10613 7be76 CloseHandle 10606->10613 10615 540b0 lstrlen 10606->10615 10616 5bba0 wvsprintfA 10606->10616 10607->10606 10608->10606 10610->10606 10612 7bdfd CloseHandle Process32Next 10611->10612 10612->10606 10615->10606 10616->10606 11206 64d58 11207 64d60 11206->11207 11208 65323 11207->11208 11209 67450 2 API calls 11207->11209 11210 65395 11208->11210 11211 65389 11208->11211 11209->11207 11213 67450 2 API calls 11210->11213 11212 67450 2 API calls 11211->11212 11214 65390 11212->11214 11213->11214 10617 6c8e5 10620 6c8f0 10617->10620 10618 6ca18 10619 570e0 4 API calls 10619->10620 10620->10618 10620->10619 11528 553e0 11533 526f0 11528->11533 11536 7ec80 11533->11536 11537 7ecae 11536->11537 11538 7ec8a 11536->11538 11539 6c520 2 API calls 11538->11539 11539->11537 11540 653e0 11541 56660 8 API calls 11540->11541 11542 65425 11541->11542 11547 65db0 11542->11547 11544 56660 8 API calls 11546 654fd 11544->11546 11545 65444 11545->11544 11548 65dc1 11547->11548 11549 76ff0 8 API calls 11548->11549 11550 65dd1 11549->11550 11550->11545 11215 71360 11216 71383 11215->11216 11217 75250 8 API calls 11216->11217 11218 713cc 11217->11218 11219 74ae0 8 API calls 11218->11219 11220 713e6 11219->11220 10625 77ee8 10629 77db0 10625->10629 10626 56660 8 API calls 10627 785a4 10626->10627 10628 55730 GetProcessHeap RtlAllocateHeap 10628->10629 10629->10628 10630 51890 8 API calls 10629->10630 10631 78354 10629->10631 10632 7835c 10629->10632 10634 782d0 CreateThread CloseHandle 10629->10634 10635 73840 GetProcessHeap RtlFreeHeap 10629->10635 10636 71950 CreateEventA CreateThread CloseHandle WaitForSingleObject 10629->10636 10630->10629 10632->10626 10634->10629 10635->10629 10637 71a16 CloseHandle 10636->10637 10638 71a0c 10636->10638 10637->10629 10638->10637 11554 71ff6 11560 72000 11554->11560 11556 721e9 Process32Next 11557 72255 CloseHandle 11556->11557 11556->11560 11562 7228b 11557->11562 11558 72098 OpenProcess 11558->11560 11559 7210a TerminateProcess 11559->11560 11561 7217a CloseHandle 11559->11561 11560->11556 11560->11558 11560->11559 11560->11561 11563 62290 lstrlen CharLowerBuffA 11560->11563 11561->11560 11563->11560 11229 63f74 11230 63f80 11229->11230 11231 63fbd Sleep 11230->11231 11233 63feb 11230->11233 11232 53dc0 GetSystemTimeAsFileTime 11231->11232 11232->11230 10639 684f0 10640 6850d 10639->10640 10649 540b0 lstrlen 10640->10649 10642 68575 10643 80850 8 API calls 10642->10643 10644 6858f 10643->10644 10645 738a0 9 API calls 10644->10645 10646 685b9 10645->10646 10650 74ae0 10646->10650 10649->10642 10651 74aee 10650->10651 10652 51890 8 API calls 10651->10652 10653 68617 10652->10653 10654 73af0 10655 73b2c 10654->10655 10658 540b0 lstrlen 10655->10658 10657 73c1a 10657->10657 10658->10657 10659 7f6f0 10660 67330 13 API calls 10659->10660 10661 7f70d 10660->10661 10662 51890 8 API calls 10661->10662 10663 7f776 10662->10663

                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                              Function 000600C8 Relevance: 61.4, APIs: 29, Strings: 5, Instructions: 1861sleepfilesynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 000603F9
                                                                                                                                                                                                              • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00060427
                                                                                                                                                                                                              • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 0006046A
                                                                                                                                                                                                              • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00060496
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00060587
                                                                                                                                                                                                              • GetCommandLineA.KERNEL32 ref: 0006063E
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 00060CDF
                                                                                                                                                                                                                • Part of subcall function 0005B150: CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0005B1D7
                                                                                                                                                                                                              • Sleep.KERNEL32(00000D05), ref: 00060BD2
                                                                                                                                                                                                                • Part of subcall function 0005B150: GetFileTime.KERNEL32(00000000,?,?,?), ref: 0005B256
                                                                                                                                                                                                                • Part of subcall function 0005B150: CloseHandle.KERNEL32(00000000), ref: 0005B26B
                                                                                                                                                                                                              • Sleep.KERNEL32(000007D0), ref: 00060DD1
                                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00060EA8
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00060ECC
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000000), ref: 00060EFE
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000002), ref: 000610B9
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 000610E7
                                                                                                                                                                                                              • GetCommandLineA.KERNEL32(00000000), ref: 0006120E
                                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 0006132B
                                                                                                                                                                                                                • Part of subcall function 00062290: lstrlen.KERNEL32(?), ref: 000622A2
                                                                                                                                                                                                                • Part of subcall function 00062290: CharLowerBuffA.USER32(?,00000000), ref: 000622BE
                                                                                                                                                                                                              • MessageBoxA.USER32(00000000,00000004,00000005,00000000), ref: 00061663
                                                                                                                                                                                                                • Part of subcall function 000572E0: CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00057452
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000130), ref: 00061AC5
                                                                                                                                                                                                              • SetFileAttributesA.KERNELBASE(?,00000080), ref: 00061AE1
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000000), ref: 00061B07
                                                                                                                                                                                                              • SetFileAttributesA.KERNELBASE(?,00000002), ref: 00061B43
                                                                                                                                                                                                              • Sleep.KERNELBASE(000003E8), ref: 00061CAC
                                                                                                                                                                                                              • WSAStartup.WS2_32(00000202,?), ref: 00061947
                                                                                                                                                                                                                • Part of subcall function 00072780: ExitProcess.KERNEL32 ref: 000727B0
                                                                                                                                                                                                              • Sleep.KERNEL32(000007D0), ref: 00061DFC
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(C:\daxjjwrfm\tkjnbticppc.exe,00000080), ref: 00061E27
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,C:\daxjjwrfm\tkjnbticppc.exe,00000000), ref: 00061E45
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(C:\daxjjwrfm\tkjnbticppc.exe,00000002), ref: 00061E7B
                                                                                                                                                                                                                • Part of subcall function 0007C080: Sleep.KERNEL32(000003E8), ref: 0007C1C3
                                                                                                                                                                                                                • Part of subcall function 0005BBA0: wvsprintfA.USER32(00000000,?,000709D1), ref: 0005BBEB
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0002FE10,00000000,00000000,00000000), ref: 00062194
                                                                                                                                                                                                              • Sleep.KERNEL32(0000C350), ref: 00062210
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$AttributesSleep$Create$CopyMutex$CloseCommandHandleLineModuleName$BuffCharCountEnvironmentExitLowerMessageProcessStartupThreadTickTimeVariablelstrlenwvsprintf
                                                                                                                                                                                                              • String ID: C:\Users\user$C:\daxjjwrfm\tkjnbticppc.exe$Xzc$\t3$x7;C
                                                                                                                                                                                                              • API String ID: 1500488346-251304320
                                                                                                                                                                                                              • Opcode ID: c9c3b4c8bbb59aaca7b4bfae332ca51f7bd57e67629d0a85633d1a299dce583c
                                                                                                                                                                                                              • Instruction ID: 8e6c9c0b55d084f31554815b7bdf14b70baf7e421b34199c8fbbafbe7134d654
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c9c3b4c8bbb59aaca7b4bfae332ca51f7bd57e67629d0a85633d1a299dce583c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6803FE71A00201DBF758DF64ED92AAA37F6FB94311B14812BE446CB2B2EB7C9941CF51
                                                                                                                                                                                                              Function 00062490 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 918fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 438 62490-624da call 7ee20 441 624e6-624f9 438->441 442 624dc 438->442 443 62505-625ca GetVersionExA call 7c640 call 6d0d0 441->443 444 624fb 441->444 442->441 449 625d0-625e0 443->449 450 62758-6277f 443->450 444->443 451 62616 449->451 452 625e2-625fb 449->452 453 62789-627c9 call 55730 call 5b980 450->453 456 62620-62640 call 68090 451->456 454 625fd-62608 452->454 455 6260a-62614 452->455 467 627e3-6281d call 73840 call 7e820 call 77610 call 73060 453->467 468 627cb-627db 453->468 454->456 455->456 462 62656-626a8 456->462 463 62642-6264f 456->463 465 626b4-6270c call 750d0 CreateDirectoryA call 55730 462->465 466 626aa 462->466 463->462 476 62711-62756 call 750d0 call 73840 465->476 466->465 486 62823-628b7 DeleteFileA RemoveDirectoryA 467->486 487 628bc-6297f call 68090 call 750d0 CreateDirectoryA call 7f8f0 467->487 468->467 469 627dd 468->469 469->467 476->453 486->487 494 62981-629a5 487->494 495 629ab-62ad9 call 75860 CreateDirectoryA call 55730 call 750d0 call 55730 call 73840 call 5b980 call 73840 call 7e820 call 77610 call 73060 487->495 494->495 516 63405-6340a 495->516 517 62adf-62af0 495->517 520 6340d-6341f 516->520 518 62b54-62b99 call 55730 517->518 519 62af2-62b4f call 55730 call 5bba0 call 73840 517->519 528 62baa-62bc6 518->528 529 62b9b-62ba8 518->529 547 62c24-62c5e 519->547 522 63421 520->522 523 6342b-6346c call 75860 SetFileAttributesA 520->523 522->523 532 634b3-634de call 79e60 523->532 533 6346e-6347d 523->533 534 62bcc-62c1e call 5bba0 call 73840 528->534 529->534 545 634e0 532->545 546 634ea-634f5 call 80840 532->546 536 63496-634ad 533->536 537 6347f-63494 533->537 534->547 536->532 537->532 545->546 550 62c60 547->550 551 62c6a-62cfe call 750d0 CreateDirectoryA call 7f8f0 547->551 550->551 557 62d24-62d3e 551->557 558 62d00-62d16 551->558 559 62d45-62e4e call 75860 CreateDirectoryA call 55730 call 750d0 call 55730 call 73840 call 5b980 call 73840 557->559 558->559 560 62d18-62d22 558->560 575 62e50-62e68 559->575 576 62e6f-62e94 call 7e820 call 77610 call 73060 559->576 560->559 575->576 583 633ee 576->583 584 62e9a-62f08 GetTempPathA call 540b0 576->584 585 633f1-63403 583->585 588 63000-63015 584->588 589 62f0e 584->589 585->520 590 63017-63024 588->590 591 6302b-630bb call 7f8f0 call 75860 CreateDirectoryA call 55730 588->591 592 62f13-62f2a 589->592 590->591 610 630cd-6312d call 750d0 call 55730 591->610 611 630bd-630c8 591->611 594 62f41-62f49 592->594 595 62f2c-62f3b 592->595 597 62f80-62fca 594->597 598 62f4b-62f5b 594->598 595->594 601 62ff6 597->601 602 62fcc-62fe8 597->602 599 62f75-62f79 598->599 600 62f5d-62f6d 598->600 599->592 605 62f7b 599->605 600->599 604 62f6f 600->604 601->588 602->601 606 62fea-62ff0 602->606 604->599 605->588 606->601 616 6312f 610->616 617 63139-631ce call 73840 call 5b980 call 73840 call 7e820 call 77610 call 73060 610->617 611->610 616->617 630 633c7-633ec 617->630 631 631d4-6324d GetTempPathA call 7f8f0 617->631 630->585 634 632a5-632d2 call 55730 631->634 635 6324f-63289 631->635 639 632d4-632e7 634->639 640 632ee-63352 call 750d0 call 73840 634->640 635->634 636 6328b-6329e 635->636 636->634 639->640 645 63354-6337f 640->645 646 633a3-633c0 640->646 647 63397-633a1 645->647 648 63381-63395 645->648 646->630 647->630 648->630
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetVersionExA.KERNEL32(0009EAC8), ref: 00062572
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 000626EF
                                                                                                                                                                                                              • DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00062843
                                                                                                                                                                                                              • RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 0006289F
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0006293F
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000629E1
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00062CAC
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00062D6E
                                                                                                                                                                                                              • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00062EB0
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0006307B
                                                                                                                                                                                                              • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 000631FA
                                                                                                                                                                                                              • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 0006344D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                              • String ID: C:\Users\user$C:\daxjjwrfm\$Wq0O$\
                                                                                                                                                                                                              • API String ID: 1691758827-149769076
                                                                                                                                                                                                              • Opcode ID: c3129c2607c681c9c429aa1e65eab04391481cc20a7570861ae575e73da5cd03
                                                                                                                                                                                                              • Instruction ID: 6a6d5ec8a1039e7c0e0de4d7dac3499c66d0ca0fb20506840169432a459764aa
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c3129c2607c681c9c429aa1e65eab04391481cc20a7570861ae575e73da5cd03
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AA8225B1A00205CBF718DF68EC92ABA37F5F754311B00812BE945C72B6EB7C9A45CB95
                                                                                                                                                                                                              Function 0007DB50 Relevance: 25.2, APIs: 13, Strings: 1, Instructions: 662memorylibraryloaderCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 649 7db50-7dbe1 650 7dbe3-7dbed 649->650 651 7dbef 649->651 652 7dbf9-7dc73 650->652 651->652 653 7dc75 652->653 654 7dc7f-7dcd1 call 55730 call 7f8f0 call 73840 652->654 653->654 661 7dcd3-7dcff 654->661 662 7dd01-7dd14 654->662 663 7dd1a-7dd3f GetProcessHeap 661->663 662->663 664 7dd41-7dd5e 663->664 665 7dd5f-7dda1 call 55730 663->665 668 7dda3-7ddb4 665->668 669 7ddba-7dde7 LoadLibraryA call 73840 665->669 668->669 672 7de04-7de73 call 55730 GetProcAddress 669->672 673 7dde9-7de03 669->673 676 7de75 672->676 677 7de7f-7dea9 call 73840 672->677 676->677 680 7ded7-7df29 HeapAlloc 677->680 681 7deab-7ded6 FreeLibrary 677->681 682 7df52-7dfa0 GetAdaptersInfo 680->682 683 7df2b-7df51 FreeLibrary 680->683 684 7dfa6-7e025 HeapFree HeapAlloc 682->684 685 7e074-7e091 GetAdaptersInfo 682->685 688 7e027-7e069 FreeLibrary 684->688 689 7e06a 684->689 686 7e097-7e10c call 55730 call 7f8f0 call 73840 685->686 687 7e61a-7e631 685->687 697 7e132-7e137 686->697 698 7e10e-7e126 686->698 691 7e637-7e6a5 HeapFree FreeLibrary 687->691 689->685 700 7e140-7e150 697->700 698->697 699 7e128 698->699 699->697 701 7e152 700->701 702 7e15c-7e183 call 71d60 700->702 701->702 705 7e26e-7e282 702->705 706 7e189-7e198 702->706 707 7e28c-7e28e 705->707 708 7e1a6 706->708 709 7e19a-7e1a4 706->709 707->700 711 7e294-7e297 707->711 710 7e1b0-7e1d9 call 71d60 708->710 709->710 717 7e1db-7e225 710->717 718 7e249-7e25a 710->718 712 7e5da-7e618 call 79e60 711->712 712->691 719 7e227-7e247 717->719 720 7e29c-7e2fe call 55730 717->720 718->705 721 7e25c-7e268 718->721 719->707 724 7e300-7e316 720->724 725 7e318-7e32a 720->725 721->705 726 7e331-7e386 call 7f8f0 call 73840 724->726 725->726 731 7e54d-7e599 726->731 732 7e38c 726->732 733 7e5ab-7e5d7 call 79e60 731->733 734 7e59b-7e5a5 731->734 735 7e390-7e3d4 732->735 733->712 734->733 737 7e3d6-7e3e2 735->737 738 7e3e8-7e3fe 735->738 737->738 740 7e400-7e41d 738->740 741 7e429-7e48f 738->741 740->741 742 7e41f 740->742 743 7e496-7e4b9 741->743 744 7e491-7e495 741->744 742->741 745 7e4d7-7e4f9 743->745 746 7e4bb-7e4d1 743->746 744->743 747 7e533-7e544 745->747 748 7e4fb-7e517 745->748 746->745 747->735 750 7e54a 747->750 748->747 749 7e519-7e52c 748->749 749->747 750->731
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000001), ref: 0007DD1A
                                                                                                                                                                                                              • LoadLibraryA.KERNELBASE(00000000,?,?,?,?,?,?,00000000,00000001), ref: 0007DDBB
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0007DE59
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0007DEBE
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(0007D075,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0007DF03
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0007DF39
                                                                                                                                                                                                              • GetAdaptersInfo.IPHLPAPI(00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0007DF73
                                                                                                                                                                                                              • HeapFree.KERNEL32(0007D075,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0007DFDD
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(0007D075,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0007E00E
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0007E035
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FreeHeapLibrary$Alloc$AdaptersAddressInfoLoadProcProcess
                                                                                                                                                                                                              • String ID: J)6v
                                                                                                                                                                                                              • API String ID: 994048614-3523960662
                                                                                                                                                                                                              • Opcode ID: 54cadc5a24616ce63726f79c77feca6455d004d9f213715d488e42991060a342
                                                                                                                                                                                                              • Instruction ID: 8615420d5a7f2e235e826ff2b59819db161525b4ec0e2cf5e3c77340f2245026
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 54cadc5a24616ce63726f79c77feca6455d004d9f213715d488e42991060a342
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A252DF72A11701DFF318DF28EC92AAA37F1F759321B10812BE889C7661E77C9941CB55
                                                                                                                                                                                                              Function 00068200 Relevance: 13.7, APIs: 9, Instructions: 167serviceCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 751 68200-68216 752 68243-6828d OpenSCManagerA 751->752 753 68218-6823c 751->753 754 68293-682de CreateServiceA 752->754 755 684b9-684c7 752->755 753->752 756 682e0-68356 ChangeServiceConfig2A StartServiceA CloseServiceHandle 754->756 757 6835b-6836d 754->757 758 68463-6846e 756->758 759 68381-6839f OpenServiceA 757->759 760 6836f-6837c 757->760 761 68480-684ad CloseServiceHandle 758->761 762 68470-6847a 758->762 763 683a5-683ed StartServiceA 759->763 764 68441-6845d 759->764 760->759 761->755 765 684af 761->765 762->761 766 68407-6841d CloseServiceHandle 763->766 767 683ef-68401 763->767 764->758 765->755 766->764 768 6841f-6843b 766->768 767->766 768->764
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • OpenSCManagerA.SECHOST(00000000,00000000,00000002), ref: 0006826F
                                                                                                                                                                                                              • CreateServiceA.ADVAPI32(00000000,01100860,01100860,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 000682CA
                                                                                                                                                                                                              • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00068301
                                                                                                                                                                                                              • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00068323
                                                                                                                                                                                                              • CloseServiceHandle.SECHOST(00000000), ref: 0006833A
                                                                                                                                                                                                              • OpenServiceA.ADVAPI32(00000000,01100860,00000010), ref: 0006838B
                                                                                                                                                                                                              • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 000683C2
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00068408
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00068481
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3525021261-0
                                                                                                                                                                                                              • Opcode ID: b10f191167a0523ad1674fc876adbbfd4a696f5b6ce5bf022b54bc4581886b42
                                                                                                                                                                                                              • Instruction ID: 010c8cea4c1605aa1c17e5e144340648725bf59c56f9fbb84c4a881b5713c722
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b10f191167a0523ad1674fc876adbbfd4a696f5b6ce5bf022b54bc4581886b42
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5661B9B1A056529BF304CB68FC86B3A37F5FB44702F14811BE985CA2B4EB7C9881CB41
                                                                                                                                                                                                              Function 00073060 Relevance: 4.8, APIs: 3, Instructions: 287fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 830 73060-73093 call 6cb00 833 73095 830->833 834 7309f-730b9 830->834 833->834 835 730ee-7311f 834->835 836 730bb-730cd 834->836 838 73144-7315f 835->838 839 73121-7312d 835->839 836->835 837 730cf-730e8 836->837 837->835 842 73182-731af call 56590 838->842 843 73161-7317b 838->843 840 73136-7313d 839->840 841 7312f-73134 839->841 840->838 841->838 846 731b1-731bb 842->846 847 731bd-731d9 842->847 843->842 848 731fb-73203 846->848 847->848 849 731db-731f5 847->849 850 73205-7323f call 55070 848->850 851 73253-7329a CreateFileA 848->851 849->848 859 73241 850->859 860 7324b-73252 850->860 853 732b0-732b2 851->853 854 7329c-732a9 851->854 856 732b4-732f4 call 55070 853->856 857 73311-7333f 853->857 854->853 866 732f6-73303 856->866 867 73309-73310 856->867 858 73340-73350 857->858 862 73383-73394 858->862 863 73352-73381 858->863 859->860 865 7339e-733b9 862->865 863->865 868 733c5-733f7 call 71a30 865->868 869 733bb 865->869 866->867 872 7340d-7348d call 5aed0 WriteFile 868->872 873 733f9-73406 868->873 869->868 872->858 876 73493-734be 872->876 873->872 877 734c0-734ca 876->877 878 734cc 876->878 879 734d6-7350a CloseHandle 877->879 878->879 880 73527-73546 call 55070 879->880 881 7350c-73521 879->881 881->880
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0007327A
                                                                                                                                                                                                              • WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 0007344B
                                                                                                                                                                                                              • CloseHandle.KERNELBASE(?), ref: 000734DA
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1065093856-0
                                                                                                                                                                                                              • Opcode ID: 15571a9d054dbaed1acf2e61bd7c9e2ffe413d543ddb3fc1b8eec53c5e163bf5
                                                                                                                                                                                                              • Instruction ID: 7d75d083ca7adcb64d2b2666c32f045e780f3b7c73729b6f8677b52ff53adf52
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 15571a9d054dbaed1acf2e61bd7c9e2ffe413d543ddb3fc1b8eec53c5e163bf5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E7C11376A10610DBF704DF68FC91AAA73F5F754321B10812BE849CB2B5E77C9981CB85
                                                                                                                                                                                                              Function 00077040 Relevance: 4.8, APIs: 3, Instructions: 256libraryloaderencryptionCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 884 77040-7708d 885 7708f-7709b 884->885 886 7709d 884->886 887 770a7-770d9 885->887 886->887 888 770ee-77121 887->888 889 770db-770ec 887->889 890 7712d-77172 888->890 891 77123 888->891 889->890 892 77174-7718c 890->892 893 771ae-771cd call 56590 890->893 891->890 894 7718e-77199 892->894 895 7719b-771a8 892->895 898 77386-7739e 893->898 899 771d3-7720f call 55730 893->899 894->893 895->893 901 773e0-773fa 898->901 902 773a0-773b5 CryptGenRandom 898->902 907 77211 899->907 908 7721b-77289 GetProcAddress call 55730 call 73840 GetProcAddress 899->908 905 7745e-774a5 call 55070 901->905 906 773fc-77457 call 6cc70 * 4 901->906 902->901 904 773b7-773da 902->904 904->901 915 774a7-774b4 905->915 916 774bb-774c1 905->916 906->905 907->908 923 77297-772a2 908->923 924 7728b-77295 908->924 915->916 926 772a7-772d8 call 73840 923->926 924->926 930 7733b-77351 926->930 931 772da-772e1 926->931 933 77353 930->933 934 7735d-77367 930->934 931->930 932 772e3-772eb 931->932 936 772f2-772f4 932->936 933->934 935 77371-77383 934->935 935->898 936->930 937 772f6-77339 936->937 937->935
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(75B30000,00000000), ref: 00077229
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(75B30000,00000000), ref: 00077275
                                                                                                                                                                                                              • CryptGenRandom.ADVAPI32(00000000,00000004,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000773AD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AddressProc$CryptRandom
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 646182245-0
                                                                                                                                                                                                              • Opcode ID: 75addd10083dcffcf620dea16cb2476ec312e03cbb94318ca269cc2192f17b10
                                                                                                                                                                                                              • Instruction ID: adbfc2e6dc80a2d935b499ed44f57e0e77123a530b0c1efd0a96dbbbce4250b8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 75addd10083dcffcf620dea16cb2476ec312e03cbb94318ca269cc2192f17b10
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B8B11F71A14242CFF718DF28ED92A6637F0F754361B10812BE98ACB6B1E73D9841CB45
                                                                                                                                                                                                              Function 0007CBE0 Relevance: 2.1, APIs: 1, Instructions: 633COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 963 7cbe0-7cc86 call 74580 966 7cc9c-7ccdb call 7ee20 call 56460 963->966 967 7cc88-7cc95 963->967 972 7ccdd-7cce9 call 66f70 966->972 973 7cceb 966->973 967->966 974 7ccf5-7cd15 972->974 973->974 976 7cd17-7cd23 974->976 977 7cd3a-7cd4f GetComputerNameA 974->977 976->977 979 7cd25-7cd34 976->979 980 7ceb5-7cf15 call 55730 977->980 981 7cd55-7cd8b call 55730 977->981 979->977 986 7cf17 980->986 987 7cf21-7cf43 call 7f8f0 980->987 988 7cdc2-7cde9 981->988 989 7cd8d-7cdb2 981->989 986->987 996 7cf45-7cf54 987->996 997 7cf68-7d04a call 73840 call 5b980 call 54460 call 7f8f0 call 750d0 call 79e60 987->997 992 7ce01-7ce43 call 7f8f0 call 73840 988->992 993 7cdeb-7cdfb 988->993 991 7cdb4-7cdc0 989->991 989->992 991->992 992->980 1005 7ce45-7ce70 992->1005 993->992 996->997 999 7cf56-7cf62 996->999 1017 7d06c-7d0af call 7db50 call 540b0 997->1017 1018 7d04c-7d058 997->1018 999->997 1007 7ce94-7ceae 1005->1007 1008 7ce72-7ce92 1005->1008 1007->980 1008->980 1024 7d0b1-7d0c6 1017->1024 1025 7d0cc-7d1ac call 74a90 call 75810 call 80840 call 54460 call 74a90 call 75810 call 80840 1017->1025 1018->1017 1019 7d05a-7d066 1018->1019 1019->1017 1024->1025 1040 7d1ae-7d1c2 1025->1040 1041 7d1c8-7d23f call 54460 call 74a90 call 75810 call 80840 call 54460 1025->1041 1040->1041 1052 7d241-7d259 1041->1052 1053 7d260-7d3b7 call 74a90 call 75810 call 80840 call 54460 call 74a90 call 75810 call 80840 call 54460 call 55730 call 74a90 call 75810 call 80840 call 73840 call 54460 1041->1053 1052->1053 1055 7d25b 1052->1055 1083 7d3c3-7d40f call 74a90 call 75810 call 80840 call 54460 1053->1083 1084 7d3b9 1053->1084 1055->1053 1093 7d411 1083->1093 1094 7d41b-7d458 call 74a90 call 75810 call 80840 1083->1094 1084->1083 1093->1094 1101 7d464-7d486 call 54460 1094->1101 1102 7d45a 1094->1102 1105 7d494 1101->1105 1106 7d488-7d492 1101->1106 1102->1101 1107 7d49e-7d5eb call 74c30 call 6ccf0 call 74a90 call 75810 call 80840 call 54460 call 72380 call 74a90 call 75810 call 80840 call 7e820 call 77610 call 78ba0 call 56660 1105->1107 1106->1107 1136 7d601 1107->1136 1137 7d5ed-7d5ff 1107->1137 1138 7d60b-7d6ef call 7e820 call 77610 call 51890 call 7b500 call 53a00 call 79e60 * 3 call 80840 call 64010 1136->1138 1137->1138
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetComputerNameA.KERNEL32(?,00000010), ref: 0007CD44
                                                                                                                                                                                                                • Part of subcall function 000540B0: lstrlen.KERNEL32(?,?,00051038,?), ref: 000540DD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ComputerNamelstrlen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4141851928-0
                                                                                                                                                                                                              • Opcode ID: c9cbe8a50c98fecd29ffba9c47b01699922842d8f4a21e17e6edf23f24e7272b
                                                                                                                                                                                                              • Instruction ID: a426cfda82ac7e7e6876ea35c2c00b391c0945e6a46424e78539e82a8d0df344
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c9cbe8a50c98fecd29ffba9c47b01699922842d8f4a21e17e6edf23f24e7272b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D52D171910205CBF758DF24EC92AFA73B5FB54301F50812BE44A972B2EB7CAA44CB59
                                                                                                                                                                                                              Function 000738B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116processCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 769 738b0-738d2 770 738e7-738ff 769->770 771 738d4-738e1 769->771 772 73901-73926 770->772 773 7392b-73937 770->773 771->770 772->773 774 73976-73992 call 79e60 773->774 775 73939-73961 773->775 779 73994-739a1 774->779 780 739a8-73a18 call 79e60 CreateProcessA 774->780 775->774 776 73963-73970 775->776 776->774 779->780 783 73a64-73a79 780->783 784 73a1a-73a24 780->784 787 73a7f-73a94 783->787 785 73a26-73a33 784->785 786 73a3a-73a62 CloseHandle * 2 784->786 785->786 786->787
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000008,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00073A0F
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00073A3E
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00073A52
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                              • String ID: D
                                                                                                                                                                                                              • API String ID: 2922976086-2746444292
                                                                                                                                                                                                              • Opcode ID: ec5526b817d22c11b428f01062622e05b3e54cb4a222db77ba6fd875d5a445f1
                                                                                                                                                                                                              • Instruction ID: 49fe2cb8b8573fc366e4022dc48cf651a1c6a24d4e477737e6c6e19a16d3c0c9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ec5526b817d22c11b428f01062622e05b3e54cb4a222db77ba6fd875d5a445f1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9041E271A012059BFB08CF58ED92BA937F5FB54711F00801BE54ADB2B4D7BD9944CB89
                                                                                                                                                                                                              Function 0007E880 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 788 7e880-7e8fa call 6cb00 791 7e911-7e927 call 56660 788->791 792 7e8fc-7e909 788->792 796 7e934-7e97a call 56590 CreateFileA 791->796 797 7e929-7e92e 791->797 792->791 793 7e90b 792->793 793->791 800 7e996-7e9a9 796->800 801 7e97c-7e991 796->801 797->796 802 7e9b0-7ea5b ReadFile call 5aed0 call 7e820 call 80850 call 7e860 800->802 803 7eb84-7ebd8 call 55070 call 79e60 801->803 816 7eb56-7eb7e CloseHandle 802->816 817 7ea61-7ea80 802->817 816->803 818 7ea82-7ea8c 817->818 819 7ea8e-7ea9a 817->819 820 7eaa0-7eac0 call 51890 818->820 819->820 820->802 823 7eac6-7eb3a CloseHandle call 55070 call 79e60 820->823 828 7eb3c-7eb44 823->828 829 7eb4a-7eb55 823->829 828->829
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 0007E966
                                                                                                                                                                                                              • ReadFile.KERNEL32(00000000,?,00005000,00000000,00000000), ref: 0007E9D7
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0007EADD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandleRead
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1035965006-0
                                                                                                                                                                                                              • Opcode ID: d022674827a7dc407aa4bbdc1eb7b7b9a9fc1733cb9bb7dd01d27c8f7f71cbb5
                                                                                                                                                                                                              • Instruction ID: 61567195bc79249e79e9a429c14a33729cca9a493501ba3b0c3e939fbc643ef4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d022674827a7dc407aa4bbdc1eb7b7b9a9fc1733cb9bb7dd01d27c8f7f71cbb5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C681DF75A10204DBF744DF68FC91AAA33B5F798301F10855BE989872A1EB3CA941CF95
                                                                                                                                                                                                              Function 0007C640 Relevance: 4.6, APIs: 3, Instructions: 120memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 938 7c640-7c650 939 7c664-7c6b9 938->939 940 7c652-7c65e 938->940 941 7c6bb-7c6d7 939->941 942 7c6ea-7c71e AllocateAndInitializeSid 939->942 940->939 943 7c6e0 941->943 944 7c6d9-7c6de 941->944 945 7c724-7c73f CheckTokenMembership 942->945 946 7c7f1-7c819 942->946 943->942 944->942 947 7c741-7c76e 945->947 948 7c77a-7c7ad FreeSid 945->948 947->948 949 7c770 947->949 948->946 950 7c7af-7c7c3 948->950 949->948 951 7c7c5-7c7d7 950->951 952 7c7d9-7c7eb 950->952 951->946 952->946
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • AllocateAndInitializeSid.ADVAPI32(00062591,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00062591), ref: 0007C701
                                                                                                                                                                                                              • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 0007C737
                                                                                                                                                                                                              • FreeSid.ADVAPI32(?), ref: 0007C798
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3429775523-0
                                                                                                                                                                                                              • Opcode ID: b729f540ee965d9a88bc7a912381c732dbbc25315f77053afcc8b8c57b227edd
                                                                                                                                                                                                              • Instruction ID: f78b861ce450773965a4fb0957ad58b5f527f9ec4267d8d5d3aab9f08b916e92
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b729f540ee965d9a88bc7a912381c732dbbc25315f77053afcc8b8c57b227edd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4041BB39A04244DFF708DB68ED95A6A3BF4FB58300B54815EE586C7261EB3CA941CF05
                                                                                                                                                                                                              Function 00066F00 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 953 66f00-66f12 954 66f14-66f2e 953->954 955 66f43-66f67 GetProcessHeap RtlAllocateHeap 953->955 954->955 956 66f30-66f3c 954->956 956->955
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,00069195,021A1850,?,?,?,?,?,00076DD6), ref: 00066F59
                                                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,00069195,021A1850,?,?,?,?,?,00076DD6), ref: 00066F60
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$AllocateProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1357844191-0
                                                                                                                                                                                                              • Opcode ID: 5f18f60b81565bea67338aad2ada4728da2d1c014c878603f6ce615f1e46693d
                                                                                                                                                                                                              • Instruction ID: 6350b1875706232b56cf39a66698cee4883391396c99091d43bbcb959d31c276
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5f18f60b81565bea67338aad2ada4728da2d1c014c878603f6ce615f1e46693d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 13F020315007008BEB08DB64FC89B2537EAFB00701B04401AF106C7272EEBE9800CBD8
                                                                                                                                                                                                              Function 0006C520 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 957 6c520-6c52d 958 6c543-6c565 GetProcessHeap RtlFreeHeap 957->958 959 6c52f-6c53c 957->959 960 6c567-6c576 958->960 961 6c57c-6c57d 958->961 959->958 960->961
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00080A4E,?,00080A4E,00000000), ref: 0006C549
                                                                                                                                                                                                              • RtlFreeHeap.NTDLL(00000000,?,00080A4E,00000000), ref: 0006C550
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$FreeProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3859560861-0
                                                                                                                                                                                                              • Opcode ID: 3a0760c9d5094202db3b0f0ccdb25f906f1e977c04f121bfcb4af72fcc8f29c7
                                                                                                                                                                                                              • Instruction ID: ea609cd0484bd88515f20e5943d80197443c26e711f8538784a6ded49a5e98ab
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3a0760c9d5094202db3b0f0ccdb25f906f1e977c04f121bfcb4af72fcc8f29c7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1FF030719186049FF7049F58EC9697537E5BB04704B04440AE99AC7621D778A880CB65
                                                                                                                                                                                                              Function 00062290 Relevance: 3.0, APIs: 2, Instructions: 21stringCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 962 62290-622df lstrlen CharLowerBuffA
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 000622A2
                                                                                                                                                                                                              • CharLowerBuffA.USER32(?,00000000), ref: 000622BE
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 794975171-0
                                                                                                                                                                                                              • Opcode ID: f8688b3cd131e25061c3f2d9c352abbbebcf47a767c05761e86265e2fb63edca
                                                                                                                                                                                                              • Instruction ID: e771282ab910dda538b99a1ddef555359f946b4ea4990048dfffdb04c1c45494
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f8688b3cd131e25061c3f2d9c352abbbebcf47a767c05761e86265e2fb63edca
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F4E04F721149249BA3019F98FC494F637FCFB157023084067E6C9C2674EB7C6941C7B5
                                                                                                                                                                                                              Function 000572E0 Relevance: 1.7, APIs: 1, Instructions: 162fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1159 572e0-5739e call 75860 call 55730 1164 573a0-573bc 1159->1164 1165 573ca-573f0 call 750d0 1159->1165 1164->1165 1166 573be-573c4 1164->1166 1169 57427-57475 call 73840 CreateFileA 1165->1169 1170 573f2-5740e 1165->1170 1166->1165 1175 574fd-57507 1169->1175 1176 5747b-574e0 1169->1176 1171 57410-5741b 1170->1171 1172 5741d 1170->1172 1171->1169 1172->1169 1179 57509-57524 1175->1179 1180 5752a-57542 1175->1180 1177 574e2-574fb 1176->1177 1178 57548-57590 call 79e60 1176->1178 1177->1178 1179->1180 1180->1178
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00057452
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFile
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 823142352-0
                                                                                                                                                                                                              • Opcode ID: 901ce219fb3e8d85a871b84f40dccbcf2164a0901e792efa3cc81a020de96963
                                                                                                                                                                                                              • Instruction ID: c40783729c3e6fcf82a2ccd00c21fe56a7653e86d42464f51fcefe0b0a7c06b1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 901ce219fb3e8d85a871b84f40dccbcf2164a0901e792efa3cc81a020de96963
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D9510E72A016148FF358DB28FC92ABA33B5F798711F10812BE945C76B1E77C9881CB45
                                                                                                                                                                                                              Function 00076D32 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1183 76d32-76dd1 call 52ef0 call 520e0 call 75400 call 68660
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 000520E0: GetStdHandle.KERNEL32(000000F6,?,?,00076D5F), ref: 00052113
                                                                                                                                                                                                                • Part of subcall function 000520E0: GetStdHandle.KERNEL32(000000F5,?,?,00076D5F), ref: 00052145
                                                                                                                                                                                                                • Part of subcall function 000520E0: GetStdHandle.KERNEL32(000000F4,?,?,00076D5F), ref: 00052198
                                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 00076E44
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Handle$ExitProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 256993070-0
                                                                                                                                                                                                              • Opcode ID: a44edc432c8029536e3c1362b14e9eafea0f71a77add6e388e5b16b9b915a030
                                                                                                                                                                                                              • Instruction ID: 972e00c6a0e549c8411101e95cc94d4e8889fa318ba359aa321a3df51b742bea
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a44edc432c8029536e3c1362b14e9eafea0f71a77add6e388e5b16b9b915a030
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E021F636A115118BF708EF34EC925B533A2F764762300C517E8028B7AAFB7D8941C745
                                                                                                                                                                                                              Function 00072780 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1193 72780-727b0 call 5ad30 ExitProcess
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ExitProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 621844428-0
                                                                                                                                                                                                              • Opcode ID: 97d2471b80e8b25b93c4ac7f1d7be9445a89ca8740b0455a170bdf8c53d910b1
                                                                                                                                                                                                              • Instruction ID: 543bc50f3fccad2f8f7759aed348aa41553e851b486b63bc9218a31115fc8c13
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 97d2471b80e8b25b93c4ac7f1d7be9445a89ca8740b0455a170bdf8c53d910b1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 84D05E701207048A9B00EF64FC8562237ACFB407017401426E8018F261E37CEA8187D1

                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                              Function 0007EEB0 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 444pipeprocessfileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000,00000001), ref: 0007F00B
                                                                                                                                                                                                              • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0007F086
                                                                                                                                                                                                              • CreatePipe.KERNEL32(?,00000000,0000000C,00000000), ref: 0007F0A6
                                                                                                                                                                                                              • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0007F147
                                                                                                                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 0007F2C2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0007F353
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 0007F367
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0007F37B
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0007F3A9
                                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0007F446
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0007F4D4
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0007F4E8
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,00002710), ref: 0007F56B
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 0007F586
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 0007F5A7
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                              • String ID: ;8\w$<,]8$D
                                                                                                                                                                                                              • API String ID: 1130065513-4129721015
                                                                                                                                                                                                              • Opcode ID: 507fde8e75ee3019c718721e96341979aa525d602102c710b1ed370383263c85
                                                                                                                                                                                                              • Instruction ID: 89cd3618976d5e33e2d0b59835af78700fcee30d04033482d4208bdda53e7711
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 507fde8e75ee3019c718721e96341979aa525d602102c710b1ed370383263c85
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F512CC71A04206DFF708CF68ED95ABA37B5FB98311B10812BE84AD76B4E73C9941CB54
                                                                                                                                                                                                              Function 0007B7F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 0007B8EC
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,00000128), ref: 0007BA96
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFirstProcess32SnapshotToolhelp32
                                                                                                                                                                                                              • String ID: 9y8
                                                                                                                                                                                                              • API String ID: 2353314856-3592070472
                                                                                                                                                                                                              • Opcode ID: 2a5191a33c10599133b9fda0c99a57b2f3cc7cf8b70a235e52ada2709a99472c
                                                                                                                                                                                                              • Instruction ID: bfaf22da486e82c5f8bbebb1b8fbdb18c94eb88892b04ffb048b4155507302d1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2a5191a33c10599133b9fda0c99a57b2f3cc7cf8b70a235e52ada2709a99472c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 96F1E271A00211CBF718DF29ED92A7A37F1FB94311B14812BE48AC72B5EB7C9941CB56
                                                                                                                                                                                                              Function 000560A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186filesleepCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 000540B0: lstrlen.KERNEL32(?,?,00051038,?), ref: 000540DD
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 00056189
                                                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?), ref: 00056274
                                                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 0005632E
                                                                                                                                                                                                              • FindNextFileA.KERNEL32(?,?), ref: 00056384
                                                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 000563AA
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FileFind$CloseDeleteFirstNextSleeplstrlen
                                                                                                                                                                                                              • String ID: ysh
                                                                                                                                                                                                              • API String ID: 3282225923-1904326249
                                                                                                                                                                                                              • Opcode ID: 73b57dabfaec1a82a3827e887fd0b674cfa8598f7c23469169558de3c60424e5
                                                                                                                                                                                                              • Instruction ID: 26e44312713812497a2d8a3a9a2bb57762b48412d8fd32ade9cc178b520f7de9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 73b57dabfaec1a82a3827e887fd0b674cfa8598f7c23469169558de3c60424e5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 64812272A002149FF718DF64FD92AAA77B5FB94311F44816BE945872B0EB7C8A04CF91
                                                                                                                                                                                                              Function 0007A050 Relevance: 7.8, APIs: 5, Instructions: 288serviceCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000,00000001), ref: 0007A124
                                                                                                                                                                                                              • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,0000000A,?,00000000,?,00000000,00000001), ref: 0007A164
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00000000,00000001), ref: 0007A176
                                                                                                                                                                                                              • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,-0000001A,0000000A,?,00000000,00000001), ref: 0007A24F
                                                                                                                                                                                                                • Part of subcall function 0005BBA0: wvsprintfA.USER32(00000000,?,000709D1), ref: 0005BBEB
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,00000001), ref: 0007A44C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenServicewvsprintf
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 475583450-0
                                                                                                                                                                                                              • Opcode ID: 6f5c91c89b50387597b86163f08012980f938e1efe6785c34f5c682db143bde0
                                                                                                                                                                                                              • Instruction ID: 51bed620f331432abf8170693f66721b686902c90553d71e6975de0dea641fc3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f5c91c89b50387597b86163f08012980f938e1efe6785c34f5c682db143bde0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2DC1FF72A00200DBF754CF68ED81AAA77F5FB99300F00812BE549DB2B1E77C9941CB56
                                                                                                                                                                                                              Function 000703B9 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 420COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: !|/0$/$@(l$
                                                                                                                                                                                                              • API String ID: 0-3106747989
                                                                                                                                                                                                              • Opcode ID: aed0149a626078f6e2923335ac0f38006c2bae0a9ed71926d40c6b5dd668848e
                                                                                                                                                                                                              • Instruction ID: 78a6868d612596ec6f406c0d55f6c58bf61edb70f1fe9e6ec1eb48aba6877fcc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: aed0149a626078f6e2923335ac0f38006c2bae0a9ed71926d40c6b5dd668848e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7D020171E10200CBF714EB24EC92AFA77B5FB54311F10C12AE44A9B2A2EB7C5A45CF95
                                                                                                                                                                                                              Function 0005B150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156filetimeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0005B1D7
                                                                                                                                                                                                              • GetFileTime.KERNEL32(00000000,?,?,?), ref: 0005B256
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0005B26B
                                                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0005B2E7
                                                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 0005B31A
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0005B334
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                              • String ID: td9k
                                                                                                                                                                                                              • API String ID: 3236713533-1579400769
                                                                                                                                                                                                              • Opcode ID: a19766808ccf964d59109a9dbe5962ea3aa38fb50451983e69ed78b7f274289b
                                                                                                                                                                                                              • Instruction ID: 30ee8943805e5269473fdd05a678ab1b83efab3adc3af53327bd3cdd25403a74
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a19766808ccf964d59109a9dbe5962ea3aa38fb50451983e69ed78b7f274289b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1451E375A15201AFF304CF69FC80A6AB7B5FB84314F10826BE949CB2B4E7389940CF85
                                                                                                                                                                                                              Function 0005B531 Relevance: 12.2, APIs: 8, Instructions: 188registrysynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegisterServiceCtrlHandlerA.ADVAPI32(01100860,Function_00014290,?,?,00000072), ref: 0005B669
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,000967EC,?,?,00000072), ref: 0005B70D
                                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000072), ref: 0005B721
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,000967EC,?,?,00000072), ref: 0005B771
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,00001388,?,?,00000072), ref: 0005B7D0
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,000967EC,00000072), ref: 0005B82A
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0005B841
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,000967EC), ref: 0005B8AA
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3399922960-0
                                                                                                                                                                                                              • Opcode ID: ca93018dcf52355744792a8297361c8eb8495fa93fe696026cf175a35abfc90e
                                                                                                                                                                                                              • Instruction ID: ced5e25d6f851f3cd4a088e200d5a9e00d89076984f2db79c8ec305695a7b8be
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ca93018dcf52355744792a8297361c8eb8495fa93fe696026cf175a35abfc90e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1881B876609611CFF308CF29FD999267BA1F798706700852BE596CB3B4EB7E9805CB40
                                                                                                                                                                                                              Function 0007A760 Relevance: 10.8, APIs: 7, Instructions: 266fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,000000FF), ref: 0007A7F1
                                                                                                                                                                                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,000000FF), ref: 0007A849
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,000000FF), ref: 0007A885
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 0007A8B8
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0007AA75
                                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,000000FF,?,?,00000000), ref: 0007AAC8
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0007AAE2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3478262135-0
                                                                                                                                                                                                              • Opcode ID: 915f5e7c45533c50140b478472fb2c1229127cc485d140acab8af7d7de84c563
                                                                                                                                                                                                              • Instruction ID: dc8925697518442e8a0ea5dfc78437efd52fb06b0d0bb5d75e556a9e293ba9cd
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 915f5e7c45533c50140b478472fb2c1229127cc485d140acab8af7d7de84c563
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 13A1DF71A01210DBF304DF68ED92BBA33B5FB89711F14801BE949C72A5EB7C9941CB96
                                                                                                                                                                                                              Function 00071E90 Relevance: 10.7, APIs: 7, Instructions: 238processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00071F5E
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,00000128), ref: 00071FDC
                                                                                                                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000720A2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3397401024-0
                                                                                                                                                                                                              • Opcode ID: 4c3fde97c4c9ed122a4e83857107ab2b08816492ab4f885bad05c1f53c5203ab
                                                                                                                                                                                                              • Instruction ID: f1942cdc0f76e45cb6d4baf3caa40e03b69e29e93ae3071a6204b88700f10513
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4c3fde97c4c9ed122a4e83857107ab2b08816492ab4f885bad05c1f53c5203ab
                                                                                                                                                                                                              • Instruction Fuzzy Hash: ABA1EF75A01211DFF718DF28ED916B977B5FB64311B10812BE889CA2B5E73C9A40CF49
                                                                                                                                                                                                              Function 0007BADC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 000540B0: lstrlen.KERNEL32(?,?,00051038,?), ref: 000540DD
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000000), ref: 0007BC6C
                                                                                                                                                                                                              • Module32First.KERNEL32(00000000,00000224), ref: 0007BCE6
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 0007BE0E
                                                                                                                                                                                                              • Process32Next.KERNEL32(?,00000128), ref: 0007BE48
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0007BE96
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandle$CreateFirstModule32NextProcess32SnapshotToolhelp32lstrlen
                                                                                                                                                                                                              • String ID: 9y8
                                                                                                                                                                                                              • API String ID: 2493088380-3592070472
                                                                                                                                                                                                              • Opcode ID: fcc21446699343bf62402a2bba8ced011b7196b49835dee8cb3dc26aab320d12
                                                                                                                                                                                                              • Instruction ID: 2124f4dd0f99410443b9a19df6f40212ef5aa639504bcb0d0354c27b31fb28cb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fcc21446699343bf62402a2bba8ced011b7196b49835dee8cb3dc26aab320d12
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E671C071A04201CBFB18DF29ED92ABA37F5FB94314B10812BE84AC7271EB7C9941CB55
                                                                                                                                                                                                              Function 00071FF6 Relevance: 7.7, APIs: 5, Instructions: 157COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00062290: lstrlen.KERNEL32(?), ref: 000622A2
                                                                                                                                                                                                                • Part of subcall function 00062290: CharLowerBuffA.USER32(?,00000000), ref: 000622BE
                                                                                                                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000720A2
                                                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00072132
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0007217B
                                                                                                                                                                                                              • Process32Next.KERNEL32(00000000,00000128), ref: 00072228
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0007227B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandleProcess$BuffCharLowerNextOpenProcess32Terminatelstrlen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3465298759-0
                                                                                                                                                                                                              • Opcode ID: 2416aacd55c852dd72ba38d047499369f85f8a87b7306f9b9b0ecc3675970b96
                                                                                                                                                                                                              • Instruction ID: d5bfd336181a9463758450dfbf387e3eb844d47be26868b557901da99c178bbc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2416aacd55c852dd72ba38d047499369f85f8a87b7306f9b9b0ecc3675970b96
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E661F175A01201DFF718DF24ED91AA973B5FB64310B10815BE88ACB275E73C9A41CF59
                                                                                                                                                                                                              Function 00071950 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,00078262,Function_00001300,00000001,?), ref: 0007199B
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 000719C2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00078262,Function_00001300,00000001,?), ref: 000719DD
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00078262,Function_00001300,00000001,?), ref: 000719F2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,000000FF,?,00078262,Function_00001300,00000001,?), ref: 00071A19
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1404307249-0
                                                                                                                                                                                                              • Opcode ID: 2c0259a0a54647c4608ac0c868ebf78956eeca948aeac16c60db3922871a439c
                                                                                                                                                                                                              • Instruction ID: d6e425b2cd487c6fbad7f34ee8dd633f960c436898acc4f26e3757f6f23f5408
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2c0259a0a54647c4608ac0c868ebf78956eeca948aeac16c60db3922871a439c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8921E131205300AFF314DF60ED95B627BB4FB48710F20851AF59A8B6B4D7BD98408B55
                                                                                                                                                                                                              Function 00067110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00067221
                                                                                                                                                                                                              • RegSetValueExA.ADVAPI32(?,010FFCE8,00000000,00000001,?,00000000), ref: 000672E0
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00067300
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseOpenValue
                                                                                                                                                                                                              • String ID: IR
                                                                                                                                                                                                              • API String ID: 779948276-3379982419
                                                                                                                                                                                                              • Opcode ID: 5bc48b421dbdf3167519335f048b1941badc1f08df25eec24c139aa0fe9d6020
                                                                                                                                                                                                              • Instruction ID: 851f8621eb28616b227a410c7184772aef9a975bb5d06cf34d980cf57b7f0af3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5bc48b421dbdf3167519335f048b1941badc1f08df25eec24c139aa0fe9d6020
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BD4154762112119BF704DF28EC96ABA33F5F784326B14801BE889C7730E77C8841CB56
                                                                                                                                                                                                              Function 0006C250 Relevance: 6.1, APIs: 4, Instructions: 148processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0006C312
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,?), ref: 0006C35A
                                                                                                                                                                                                              • Process32Next.KERNEL32(00000000,00000128), ref: 0006C478
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Process32$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1238713047-0
                                                                                                                                                                                                              • Opcode ID: 4d48f6047f787f21ec90dbe13cd0693ab78c6c32a68f9dcb4a8f051431c78f69
                                                                                                                                                                                                              • Instruction ID: 9788425b909f6347abdddcd0e2a11a64dc598116b662e524cfaf9b36adb4a953
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4d48f6047f787f21ec90dbe13cd0693ab78c6c32a68f9dcb4a8f051431c78f69
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A751E075905211CBF724CF64FD55AB937B6FB84311F00801BE9869A7B4EB7C8A40CB95
                                                                                                                                                                                                              Function 0007FAD0 Relevance: 6.0, APIs: 4, Instructions: 28memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00080A87,00000000,?,?,?,?,?,00000001), ref: 0007FAF7
                                                                                                                                                                                                              • RtlReAllocateHeap.NTDLL(00000000,?,00080A87,00000000), ref: 0007FAFE
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,00080A87,00000000,?,?,?,?,?,00000001), ref: 0007FB19
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000,?,00080A87,00000000,?,?,?,?,?,00000001), ref: 0007FB20
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1154092256-0
                                                                                                                                                                                                              • Opcode ID: 9a0dc9cd1b337e482f5330e195816ee87749ff818d21ab5331b349c296d5477e
                                                                                                                                                                                                              • Instruction ID: 66272b393f5d11db24c2eadd7348068a504f117dce75e1910f66eb56233be84a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9a0dc9cd1b337e482f5330e195816ee87749ff818d21ab5331b349c296d5477e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43F03070601205EFFB049FB0EC09A6A3B68FF88751F108105F949C66A0DB399940CB61
                                                                                                                                                                                                              Function 00053DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetSystemTimeAsFileTime.KERNEL32(00000001,00000001,00000000,00000001,00000000), ref: 00053E43
                                                                                                                                                                                                              • __aulldiv.LIBCMT ref: 00053E74
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Time$FileSystem__aulldiv
                                                                                                                                                                                                              • String ID: L9<8
                                                                                                                                                                                                              • API String ID: 2838486344-2160928743
                                                                                                                                                                                                              • Opcode ID: 5ae24007fa2b1124e319c8f041414714f8168f4dd47142eb3efd058e30f90bc1
                                                                                                                                                                                                              • Instruction ID: 3e86e127fe24b14e98322d221ee4a9b08a694b00f40b084c0f93a3627d0f388c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5ae24007fa2b1124e319c8f041414714f8168f4dd47142eb3efd058e30f90bc1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D4412176A10200DBF318CF58ECA257A77B2FB95756320812BE8878B6A1D33C9945CF80
                                                                                                                                                                                                              Function 000799B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000002.00000002.2169343766.0000000000051000.00000020.00000001.01000000.00000004.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169329567.0000000000050000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169366749.0000000000082000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169380862.0000000000083000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169394709.0000000000086000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000002.00000002.2169416150.000000000009F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_50000_ew4bjmdlid9hjn8.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountSystemTickTime
                                                                                                                                                                                                              • String ID: @(l$
                                                                                                                                                                                                              • API String ID: 2164215191-2034585603
                                                                                                                                                                                                              • Opcode ID: 76bde2d2eee4a34de0b9eaf0f31e29f8cc5206c873579798bcdb12c6da841c41
                                                                                                                                                                                                              • Instruction ID: 3608b0c714c54879ebc8c5516e766075f87e924b78d11ccdef4df0acd8d5956b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 76bde2d2eee4a34de0b9eaf0f31e29f8cc5206c873579798bcdb12c6da841c41
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5D417C72A01211CFF348DF28FCC29AA37B1FB94765315812BD88AC6675EB7D9940CB91

                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                              Execution Coverage:17.4%
                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                                                                              Total number of Nodes:1947
                                                                                                                                                                                                              Total number of Limit Nodes:32
                                                                                                                                                                                                              execution_graph 10831 c23c40 10834 c25f00 10831->10834 10837 c42320 10834->10837 10836 c23c4f 10838 c4232e 10837->10838 10841 c240b0 lstrlen 10838->10841 10840 c4233a 10840->10836 10841->10840 10561 c3d2c0 10565 c3d2f0 10561->10565 10562 c3d33d 10563 c240b0 lstrlen 10563->10565 10564 c2bba0 wvsprintfA 10564->10565 10565->10562 10565->10563 10565->10564 10574 c224c6 ExitProcess 10575 c43ac0 10578 c45f40 10575->10578 10581 c45070 10578->10581 10580 c43acf 10584 c240b0 lstrlen 10581->10584 10583 c45080 10583->10580 10584->10583 10936 c4edc0 10937 c24e20 8 API calls 10936->10937 10938 c4eddf 10937->10938 10939 c45810 8 API calls 10938->10939 10940 c4edf4 10939->10940 10941 c22dd0 10944 c4fb30 10941->10944 10945 c45070 lstrlen 10944->10945 10946 c22ddf 10945->10946 10947 c48dd6 10952 c48de0 10947->10952 10948 c4969c 10949 c43840 2 API calls 10948->10949 10955 c49705 10949->10955 10950 c25f40 8 API calls 10950->10952 10951 c438a0 9 API calls 10951->10952 10952->10950 10952->10951 10954 c491c9 10952->10954 10953 c495b0 10953->10948 10957 c25f40 8 API calls 10953->10957 10958 c438a0 9 API calls 10953->10958 10954->10948 10954->10953 10956 c25f40 8 API calls 10954->10956 10959 c438a0 9 API calls 10954->10959 10956->10954 10957->10953 10958->10953 10959->10954 11146 c3cf50 11151 c22da0 11146->11151 11160 c47620 11151->11160 11161 c47645 11160->11161 11162 c22cc0 8 API calls 11161->11162 11163 c47660 11162->11163 10595 c4badc 10605 c4bae0 10595->10605 10597 c4bc51 CreateToolhelp32Snapshot 10597->10605 10598 c25730 GetProcessHeap RtlAllocateHeap 10598->10605 10599 c4bcde Module32First 10599->10605 10600 c438a0 9 API calls 10600->10605 10602 c43840 GetProcessHeap RtlFreeHeap 10602->10605 10603 c25f40 8 API calls 10604 c4bdfd CloseHandle Process32Next 10603->10604 10604->10605 10605->10597 10605->10598 10605->10599 10605->10600 10605->10602 10605->10603 10606 c4be76 CloseHandle 10605->10606 10608 c240b0 lstrlen 10605->10608 10609 c2bba0 wvsprintfA 10605->10609 10608->10605 10609->10605 11164 c34d58 11167 c34d60 11164->11167 11165 c35323 11168 c35395 11165->11168 11169 c35389 11165->11169 11166 c37450 2 API calls 11166->11167 11167->11165 11167->11166 11171 c37450 2 API calls 11168->11171 11170 c37450 2 API calls 11169->11170 11172 c35390 11170->11172 11171->11172 10960 c253e0 10965 c226f0 10960->10965 10968 c4ec80 10965->10968 10969 c4ec8a 10968->10969 10971 c4ecae 10968->10971 10970 c3c520 2 API calls 10969->10970 10970->10971 10972 c353e0 10973 c26660 8 API calls 10972->10973 10974 c35425 10973->10974 10979 c35db0 10974->10979 10976 c26660 8 API calls 10978 c354fd 10976->10978 10977 c35444 10977->10976 10980 c35dc1 10979->10980 10981 c46ff0 8 API calls 10980->10981 10982 c35dd1 10981->10982 10982->10977 11173 c41360 11174 c41383 11173->11174 11175 c45250 8 API calls 11174->11175 11176 c413cc 11175->11176 11177 c44ae0 8 API calls 11176->11177 11178 c413e6 11177->11178 11179 c45f60 11180 c45f8f 11179->11180 11183 c4a610 11180->11183 11182 c45fee 11184 c4a64a 11183->11184 11185 c2b9e0 8 API calls 11184->11185 11186 c4a661 11185->11186 11186->11182 10614 c3c8e5 10617 c3c8f0 10614->10617 10615 c3ca18 10617->10615 10618 c270e0 10617->10618 10619 c27206 10618->10619 10620 c27110 10618->10620 10619->10617 10621 c36f00 2 API calls 10620->10621 10622 c27127 10621->10622 10622->10619 10623 c27130 10622->10623 10624 c3c520 2 API calls 10622->10624 10623->10617 10624->10619 10625 c47ee8 10627 c47db0 10625->10627 10626 c26660 8 API calls 10628 c485a4 10626->10628 10629 c48354 10627->10629 10630 c4835c 10627->10630 10631 c21890 8 API calls 10627->10631 10632 c43840 GetProcessHeap RtlFreeHeap 10627->10632 10634 c25730 GetProcessHeap RtlAllocateHeap 10627->10634 10635 c482d0 CreateThread CloseHandle 10627->10635 10636 c41950 CreateEventA CreateThread CloseHandle WaitForSingleObject 10627->10636 10630->10626 10631->10627 10632->10627 10634->10627 10635->10627 10639 c219c0 10635->10639 10637 c41a16 CloseHandle 10636->10637 10638 c41a0c 10636->10638 10637->10627 10638->10637 10640 c219ed 10639->10640 10641 c25730 2 API calls 10640->10641 10642 c21a44 10641->10642 10693 c2bba0 wvsprintfA 10642->10693 10644 c21a77 10645 c43840 2 API calls 10644->10645 10646 c21a89 10645->10646 10647 c438a0 9 API calls 10646->10647 10648 c21ac4 10647->10648 10649 c438a0 9 API calls 10648->10649 10650 c21b37 10649->10650 10651 c25f40 8 API calls 10650->10651 10652 c21b4b 10651->10652 10653 c25f40 8 API calls 10652->10653 10654 c21b97 10653->10654 10694 c4b7f0 10654->10694 10656 c21baa 10718 c4a050 OpenSCManagerA 10656->10718 10658 c21bd4 10659 c48ba0 9 API calls 10658->10659 10660 c21c03 10659->10660 10742 c336f0 10660->10742 10662 c21c16 10663 c25730 2 API calls 10662->10663 10664 c21c4f 10663->10664 10665 c2b980 9 API calls 10664->10665 10666 c21c71 10665->10666 10667 c43840 2 API calls 10666->10667 10668 c21c83 10667->10668 10669 c35b60 8 API calls 10668->10669 10670 c21ccd 10669->10670 10671 c45810 8 API calls 10670->10671 10672 c21cd6 10671->10672 10673 c25730 2 API calls 10672->10673 10674 c21cfa 10673->10674 10675 c44a90 9 API calls 10674->10675 10676 c21d5b 10675->10676 10677 c45810 8 API calls 10676->10677 10678 c21d67 10677->10678 10679 c43840 2 API calls 10678->10679 10680 c21d99 10679->10680 10681 c21890 8 API calls 10680->10681 10682 c21df7 10681->10682 10683 c336f0 8 API calls 10682->10683 10684 c21e3b 10683->10684 10685 c497d0 4 API calls 10684->10685 10686 c21e7a 10685->10686 10687 c25730 2 API calls 10686->10687 10688 c21e90 10687->10688 10689 c401b0 21 API calls 10688->10689 10690 c21ebb 10689->10690 10691 c43840 2 API calls 10690->10691 10692 c21f03 10691->10692 10693->10644 10695 c4b82f CreateToolhelp32Snapshot 10694->10695 10697 c4ba05 Process32First 10695->10697 10698 c4b92c 10695->10698 10714 c4babb 10697->10714 10700 c25730 2 API calls 10698->10700 10701 c4b953 10700->10701 10703 c438a0 9 API calls 10701->10703 10702 c4be7e CloseHandle 10702->10656 10704 c4b977 10703->10704 10707 c43840 2 API calls 10704->10707 10706 c4bc51 CreateToolhelp32Snapshot 10706->10714 10709 c4b9e6 10707->10709 10708 c4bcde Module32First 10708->10714 10709->10656 10710 c25730 GetProcessHeap RtlAllocateHeap 10710->10714 10712 c43840 GetProcessHeap RtlFreeHeap 10712->10714 10713 c25f40 8 API calls 10716 c4bdfd CloseHandle Process32Next 10713->10716 10714->10702 10714->10706 10714->10708 10714->10710 10714->10712 10714->10713 10715 c438a0 9 API calls 10714->10715 10717 c4be76 10714->10717 10746 c240b0 lstrlen 10714->10746 10747 c2bba0 wvsprintfA 10714->10747 10715->10714 10716->10714 10717->10702 10719 c4a480 10718->10719 10720 c4a141 EnumServicesStatusA GetLastError 10718->10720 10721 c25730 2 API calls 10719->10721 10722 c4a196 10720->10722 10723 c4a496 10721->10723 10725 c4a464 10722->10725 10726 c36f00 2 API calls 10722->10726 10724 c438a0 9 API calls 10723->10724 10727 c4a4b0 10724->10727 10725->10658 10728 c4a1f4 10726->10728 10729 c43840 2 API calls 10727->10729 10731 c4a441 CloseServiceHandle 10728->10731 10732 c4a22a EnumServicesStatusA 10728->10732 10730 c4a4df 10729->10730 10730->10658 10731->10725 10740 c4a26e 10732->10740 10733 c4a41e 10734 c3c520 2 API calls 10733->10734 10735 c4a434 10734->10735 10735->10731 10736 c240b0 lstrlen 10736->10740 10737 c25730 2 API calls 10737->10740 10739 c43840 2 API calls 10739->10740 10740->10733 10740->10736 10740->10737 10740->10739 10741 c438a0 9 API calls 10740->10741 10748 c2bba0 wvsprintfA 10740->10748 10741->10740 10743 c3370b 10742->10743 10744 c26660 8 API calls 10743->10744 10745 c3386c 10744->10745 10745->10662 10746->10714 10747->10714 10748->10740 10986 c41ff6 10992 c42000 10986->10992 10988 c421e9 Process32Next 10989 c42255 CloseHandle 10988->10989 10988->10992 10994 c4228b 10989->10994 10990 c42098 OpenProcess 10990->10992 10991 c4210a TerminateProcess 10991->10992 10993 c4217a CloseHandle 10991->10993 10992->10988 10992->10990 10992->10991 10992->10993 10995 c32290 lstrlen CharLowerBuffA 10992->10995 10993->10992 10995->10992 10749 c384f0 10750 c3850d 10749->10750 10759 c240b0 lstrlen 10750->10759 10752 c38575 10753 c50850 8 API calls 10752->10753 10754 c3858f 10753->10754 10755 c438a0 9 API calls 10754->10755 10756 c385b9 10755->10756 10760 c44ae0 10756->10760 10759->10752 10761 c44aee 10760->10761 10762 c21890 8 API calls 10761->10762 10763 c38617 10762->10763 10764 c43af0 10765 c43b2c 10764->10765 10768 c240b0 lstrlen 10765->10768 10767 c43c1a 10767->10767 10768->10767 10769 c4f6f0 10770 c37330 13 API calls 10769->10770 10771 c4f70d 10770->10771 10772 c21890 8 API calls 10771->10772 10773 c4f776 10772->10773 11187 c33f74 11188 c33f80 11187->11188 11189 c33fbd Sleep 11188->11189 11191 c33feb 11188->11191 11190 c23dc0 GetSystemTimeAsFileTime 11189->11190 11190->11188 10854 c21000 10855 c21024 10854->10855 10858 c240b0 lstrlen 10855->10858 10857 c21038 10858->10857 11192 c21300 11193 c2131b 11192->11193 11248 c41a90 11193->11248 11195 c21394 11196 c497d0 4 API calls 11195->11196 11201 c2178c 11195->11201 11197 c213f9 11196->11197 11198 c25730 2 API calls 11197->11198 11199 c21419 11198->11199 11200 c2b980 9 API calls 11199->11200 11202 c2144e 11200->11202 11203 c43840 2 API calls 11202->11203 11204 c21468 11203->11204 11251 c25cc0 11204->11251 11209 c45810 8 API calls 11210 c214ae 11209->11210 11211 c25730 2 API calls 11210->11211 11212 c214e8 11211->11212 11213 c44a90 9 API calls 11212->11213 11214 c2150d 11213->11214 11215 c45810 8 API calls 11214->11215 11216 c21519 11215->11216 11217 c43840 2 API calls 11216->11217 11218 c21533 11217->11218 11219 c35b60 8 API calls 11218->11219 11220 c21573 11219->11220 11221 c45810 8 API calls 11220->11221 11222 c2157c 11221->11222 11223 c46b70 8 API calls 11222->11223 11224 c215a6 11223->11224 11257 c244a0 11224->11257 11226 c215c0 11227 c48ba0 9 API calls 11226->11227 11228 c215fb 11227->11228 11314 c27640 11228->11314 11231 c25730 2 API calls 11232 c21635 11231->11232 11233 c44a90 9 API calls 11232->11233 11234 c21661 11233->11234 11235 c45810 8 API calls 11234->11235 11236 c2166d 11235->11236 11237 c43840 2 API calls 11236->11237 11238 c21694 11237->11238 11239 c21890 8 API calls 11238->11239 11240 c216c2 11239->11240 11241 c26660 8 API calls 11240->11241 11242 c21716 11241->11242 11243 c25730 2 API calls 11242->11243 11244 c21754 11243->11244 11245 c401b0 21 API calls 11244->11245 11246 c2177a 11245->11246 11247 c43840 2 API calls 11246->11247 11247->11201 11249 c21890 8 API calls 11248->11249 11250 c41abf SetEvent 11249->11250 11250->11195 11318 c2ab70 11251->11318 11254 c376c0 11255 c48a40 8 API calls 11254->11255 11256 c214a2 11255->11256 11256->11209 11258 c244c4 11257->11258 11259 c25730 2 API calls 11258->11259 11264 c24611 11258->11264 11260 c245e0 11259->11260 11261 c2b980 9 API calls 11260->11261 11262 c245ff 11261->11262 11263 c43840 2 API calls 11262->11263 11263->11264 11265 c246a4 11264->11265 11266 c24789 11264->11266 11267 c25730 2 API calls 11265->11267 11269 c25730 2 API calls 11266->11269 11268 c246c6 11267->11268 11270 c2b980 9 API calls 11268->11270 11272 c247cf 11269->11272 11271 c246e5 11270->11271 11274 c43840 2 API calls 11271->11274 11326 c23640 11272->11326 11276 c2476a 11274->11276 11275 c247f9 11277 c43840 2 API calls 11275->11277 11276->11226 11278 c24819 11277->11278 11279 c2483f 11278->11279 11280 c248ac 11278->11280 11281 c25730 2 API calls 11279->11281 11339 c25600 GetModuleFileNameA 11280->11339 11283 c24855 11281->11283 11285 c2b980 9 API calls 11283->11285 11289 c24886 11285->11289 11286 c248c9 11290 c25730 2 API calls 11286->11290 11287 c2493c 11288 c25f60 lstrlen 11287->11288 11292 c24967 11288->11292 11293 c43840 2 API calls 11289->11293 11291 c248e9 11290->11291 11294 c2b980 9 API calls 11291->11294 11341 c4b310 11292->11341 11296 c24898 11293->11296 11297 c24901 11294->11297 11296->11226 11299 c43840 2 API calls 11297->11299 11300 c2491f 11299->11300 11300->11226 11303 c25730 2 API calls 11304 c249d2 11303->11304 11305 c43840 2 API calls 11304->11305 11306 c249fd 11305->11306 11349 c240b0 lstrlen 11306->11349 11308 c24a3e 11309 c43060 5 API calls 11308->11309 11310 c24a79 11309->11310 11350 c4eeb0 11310->11350 11313 c24bb6 11313->11226 11315 c2765b 11314->11315 11316 c46ff0 8 API calls 11315->11316 11317 c2161f 11316->11317 11317->11231 11319 c2ab7b 11318->11319 11322 c4c960 11319->11322 11323 c4c97c 11322->11323 11324 c46ff0 8 API calls 11323->11324 11325 c21499 11324->11325 11325->11254 11328 c23672 11326->11328 11327 c236d6 11327->11275 11328->11327 11374 c22710 11328->11374 11332 c237bd 11335 c23772 11332->11335 11384 c26bf0 11332->11384 11334 c23834 11391 c22f90 11334->11391 11402 c44b20 11335->11402 11340 c248c2 11339->11340 11340->11286 11340->11287 11342 c4b367 11341->11342 11343 c24994 11342->11343 11344 c47040 9 API calls 11342->11344 11345 c23480 11343->11345 11344->11343 11348 c234a7 11345->11348 11346 c235ea 11346->11303 11347 c4b310 9 API calls 11347->11348 11348->11346 11348->11347 11349->11308 11351 c4efa4 11350->11351 11352 c4efd0 CreatePipe 11351->11352 11353 c4f038 SetHandleInformation CreatePipe 11352->11353 11359 c4f015 11352->11359 11355 c4f104 SetHandleInformation 11353->11355 11356 c4f0b0 11353->11356 11364 c4f167 11355->11364 11357 c4f377 CloseHandle 11356->11357 11357->11359 11360 c4f3a5 CloseHandle 11357->11360 11361 c26660 8 API calls 11359->11361 11362 c24b5e DeleteFileA 11359->11362 11360->11359 11361->11362 11362->11313 11363 c4f297 CreateProcessA 11365 c4f2e0 11363->11365 11364->11363 11366 c4f42a WriteFile 11365->11366 11368 c4f345 CloseHandle CloseHandle 11365->11368 11366->11368 11369 c4f49f CloseHandle CloseHandle 11366->11369 11368->11357 11371 c4f502 11369->11371 11540 c41720 11371->11540 11375 c2274d 11374->11375 11376 c270e0 4 API calls 11375->11376 11377 c227bd 11376->11377 11378 c452f0 4 API calls 11377->11378 11379 c227e3 11377->11379 11378->11379 11379->11335 11380 c452f0 11379->11380 11381 c45311 11380->11381 11382 c270e0 4 API calls 11381->11382 11383 c4533c 11382->11383 11383->11332 11405 c335f0 11384->11405 11388 c26c50 11417 c485e0 11388->11417 11390 c26c6a 11390->11334 11392 c22f9d 11391->11392 11393 c23470 11392->11393 11429 c4fc20 11392->11429 11393->11335 11395 c2307d 11396 c25730 2 API calls 11395->11396 11399 c230f5 11395->11399 11401 c232fa 11395->11401 11398 c232ab 11396->11398 11397 c25730 2 API calls 11397->11399 11398->11399 11400 c43840 2 API calls 11398->11400 11399->11335 11400->11401 11401->11397 11401->11399 11403 c37450 2 API calls 11402->11403 11404 c23984 11403->11404 11404->11275 11406 c3360f 11405->11406 11407 c25730 2 API calls 11406->11407 11408 c33686 11407->11408 11409 c43840 2 API calls 11408->11409 11410 c26c32 11409->11410 11411 c37bf0 11410->11411 11412 c37c2d 11411->11412 11413 c37de8 11411->11413 11414 c37d1d 11412->11414 11423 c45950 11412->11423 11413->11388 11414->11413 11416 c45950 4 API calls 11414->11416 11416->11414 11418 c48665 11417->11418 11419 c37bf0 4 API calls 11418->11419 11420 c488e3 11419->11420 11421 c37bf0 4 API calls 11420->11421 11422 c48909 11421->11422 11422->11390 11424 c459a4 11423->11424 11425 c25730 2 API calls 11424->11425 11426 c45b5f 11425->11426 11427 c43840 2 API calls 11426->11427 11428 c45e79 11427->11428 11428->11414 11430 c4fc5c 11429->11430 11431 c22710 4 API calls 11430->11431 11434 c4fc82 11431->11434 11432 c37450 2 API calls 11433 c4fda5 11432->11433 11433->11395 11435 c4fcb5 11434->11435 11436 c4fd03 11434->11436 11440 c4fd51 11434->11440 11437 c37450 2 API calls 11435->11437 11441 c34420 11436->11441 11439 c4fcea 11437->11439 11439->11395 11440->11432 11443 c3444f 11441->11443 11442 c353c0 11442->11440 11443->11442 11444 c270e0 4 API calls 11443->11444 11445 c34686 11444->11445 11447 c270e0 4 API calls 11445->11447 11475 c34be5 11445->11475 11446 c35323 11450 c35395 11446->11450 11451 c35389 11446->11451 11448 c346cf 11447->11448 11452 c270e0 4 API calls 11448->11452 11448->11475 11449 c37450 2 API calls 11449->11475 11454 c37450 2 API calls 11450->11454 11453 c37450 2 API calls 11451->11453 11456 c3470a 11452->11456 11455 c35390 11453->11455 11454->11455 11455->11440 11457 c452f0 4 API calls 11456->11457 11467 c3473a 11456->11467 11456->11475 11458 c34789 11457->11458 11458->11475 11477 c33b00 11458->11477 11461 c3488f 11464 c36dc0 4 API calls 11461->11464 11462 c3487c 11463 c322e0 4 API calls 11462->11463 11466 c3488a 11463->11466 11464->11466 11468 c36dc0 4 API calls 11466->11468 11467->11461 11467->11462 11467->11475 11469 c348eb 11468->11469 11470 c270e0 4 API calls 11469->11470 11469->11475 11471 c34980 11470->11471 11472 c36dc0 4 API calls 11471->11472 11471->11475 11476 c349af 11472->11476 11473 c270e0 4 API calls 11473->11476 11474 c36dc0 4 API calls 11474->11476 11475->11446 11475->11449 11476->11473 11476->11474 11476->11475 11478 c33b94 11477->11478 11479 c270e0 4 API calls 11478->11479 11480 c33bca 11478->11480 11479->11480 11480->11475 11481 c322e0 11480->11481 11482 c3232a 11481->11482 11489 c35f50 11482->11489 11484 c323cf 11484->11467 11485 c32356 11485->11484 11486 c32396 11485->11486 11487 c267e0 4 API calls 11485->11487 11486->11484 11531 c47930 11486->11531 11487->11485 11491 c35f9b 11489->11491 11490 c35fc0 11490->11485 11491->11490 11492 c360a5 11491->11492 11493 c3603b 11491->11493 11495 c36dc0 4 API calls 11492->11495 11494 c36054 11493->11494 11496 c452f0 4 API calls 11493->11496 11497 c36086 11494->11497 11498 c36dc0 4 API calls 11494->11498 11524 c36079 11494->11524 11500 c360b9 11495->11500 11496->11494 11497->11485 11498->11524 11499 c37450 2 API calls 11501 c36d9a 11499->11501 11502 c36dc0 4 API calls 11500->11502 11500->11524 11501->11485 11503 c3612e 11502->11503 11504 c270e0 4 API calls 11503->11504 11503->11524 11505 c3617a 11504->11505 11506 c452f0 4 API calls 11505->11506 11505->11524 11507 c3619b 11506->11507 11508 c270e0 4 API calls 11507->11508 11507->11524 11509 c361c5 11508->11509 11510 c270e0 4 API calls 11509->11510 11509->11524 11511 c361e7 11510->11511 11512 c33b00 4 API calls 11511->11512 11513 c362c4 11511->11513 11511->11524 11515 c36277 11512->11515 11514 c33b00 4 API calls 11513->11514 11513->11524 11518 c36391 11514->11518 11516 c33b00 4 API calls 11515->11516 11515->11524 11516->11513 11517 c47930 4 API calls 11517->11518 11518->11517 11526 c3641d 11518->11526 11519 c36c28 11520 c36dc0 4 API calls 11519->11520 11521 c36c7a 11519->11521 11520->11521 11522 c36dc0 4 API calls 11521->11522 11521->11524 11522->11524 11523 c452f0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11523->11526 11524->11497 11524->11499 11525 c211a0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11525->11526 11526->11519 11526->11523 11526->11524 11526->11525 11527 c47930 4 API calls 11526->11527 11528 c36dc0 4 API calls 11526->11528 11529 c33b00 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11526->11529 11530 c267e0 4 API calls 11526->11530 11527->11526 11528->11526 11529->11526 11530->11526 11532 c47978 11531->11532 11533 c47b39 11531->11533 11536 c47a45 11532->11536 11537 c4799d 11532->11537 11534 c3c640 4 API calls 11533->11534 11535 c479c4 11534->11535 11535->11486 11538 c464f0 4 API calls 11536->11538 11539 c464f0 4 API calls 11537->11539 11538->11535 11539->11535 11541 c4172d 11540->11541 11542 c26660 8 API calls 11541->11542 11546 c417f3 11542->11546 11543 c4184d ReadFile 11544 c418fa WaitForSingleObject CloseHandle CloseHandle 11543->11544 11543->11546 11544->11359 11545 c21890 8 API calls 11545->11546 11546->11543 11546->11544 11546->11545 11547 c41300 11548 c42320 lstrlen 11547->11548 11549 c4130f 11548->11549 11004 c3c389 11006 c3c390 11004->11006 11007 c3c441 Process32Next 11006->11007 11008 c3c4a2 CloseHandle 11006->11008 11011 c32290 lstrlen CharLowerBuffA 11006->11011 11007->11006 11007->11008 11010 c3c4e5 11008->11010 11011->11006 10859 c41814 10862 c41820 10859->10862 10860 c4184d ReadFile 10861 c418fa 10860->10861 10860->10862 10862->10860 10862->10861 10863 c21890 8 API calls 10862->10863 10863->10862 10782 c25c90 10783 c25c9b 10782->10783 10784 c25ca7 10783->10784 10785 c21fc0 2 API calls 10783->10785 10785->10784 11012 c45b96 11013 c45ba0 11012->11013 11014 c43840 2 API calls 11013->11014 11015 c45e79 11014->11015 10790 c34290 10791 c342b3 10790->10791 10792 c342ba SetServiceStatus 10790->10792 10791->10792 10793 c342d3 10791->10793 10794 c342e7 SetServiceStatus SetEvent 10791->10794 10796 c34350 10792->10796 10793->10794 10794->10796 11550 c46d10 11551 c46d4b 11550->11551 11552 c22ef0 2 API calls 11551->11552 11553 c46d50 11552->11553 11554 c220e0 3 API calls 11553->11554 11555 c46d5f 11554->11555 10797 c37496 10799 c374a0 10797->10799 10798 c375ba 10799->10798 10800 c3c520 2 API calls 10799->10800 10800->10799 10801 c228a0 10802 c228b0 10801->10802 10803 c228c2 10802->10803 10804 c22a0c ReadFile 10802->10804 10805 c22a31 10804->10805 10806 c220a0 10807 c220b7 10806->10807 10808 c251d0 8 API calls 10807->10808 10809 c220ce 10808->10809 11023 c377a1 11024 c377aa 11023->11024 11025 c25730 2 API calls 11024->11025 11026 c37b66 11025->11026 11027 c43840 2 API calls 11026->11027 11028 c37b95 11027->11028 10868 c42420 FlushFileBuffers 10869 c42460 GetLastError 10868->10869 10870 c424a2 10868->10870 10871 c42820 10872 c42873 10871->10872 10875 c267e0 10872->10875 10876 c2681a 10875->10876 10877 c2690b 10875->10877 10879 c26834 10876->10879 10880 c268bf 10876->10880 10893 c3c640 10877->10893 10884 c464f0 10879->10884 10881 c464f0 4 API calls 10880->10881 10883 c26849 10881->10883 10886 c46532 10884->10886 10885 c46567 10885->10883 10886->10885 10888 c465c5 10886->10888 10901 c36dc0 10886->10901 10889 c36dc0 4 API calls 10888->10889 10890 c46684 10888->10890 10889->10890 10906 c37450 10890->10906 10894 c3c6a0 10893->10894 10895 c36dc0 4 API calls 10894->10895 10896 c3c756 10894->10896 10895->10896 10897 c270e0 4 API calls 10896->10897 10898 c3ca18 10896->10898 10899 c3c7ba 10897->10899 10898->10883 10899->10898 10900 c270e0 4 API calls 10899->10900 10900->10899 10902 c36df3 10901->10902 10903 c36df9 10901->10903 10902->10888 10904 c270e0 4 API calls 10903->10904 10905 c36e71 10904->10905 10905->10888 10907 c375ba 10906->10907 10908 c3748f 10906->10908 10907->10883 10908->10907 10909 c3c520 2 API calls 10908->10909 10909->10908 10910 c34a29 10919 c34a30 10910->10919 10911 c270e0 4 API calls 10911->10919 10912 c35323 10915 c35395 10912->10915 10916 c35389 10912->10916 10913 c36dc0 4 API calls 10913->10919 10914 c37450 2 API calls 10921 c34be5 10914->10921 10918 c37450 2 API calls 10915->10918 10917 c37450 2 API calls 10916->10917 10920 c35390 10917->10920 10918->10920 10919->10911 10919->10913 10919->10921 10921->10912 10921->10914 11029 c47da8 11038 c47db0 11029->11038 11030 c4835c 11031 c26660 8 API calls 11030->11031 11032 c485a4 11031->11032 11033 c25730 GetProcessHeap RtlAllocateHeap 11033->11038 11034 c43840 GetProcessHeap RtlFreeHeap 11034->11038 11035 c21890 8 API calls 11035->11038 11036 c48354 11037 c41950 5 API calls 11037->11038 11038->11030 11038->11033 11038->11034 11038->11035 11038->11036 11038->11037 11039 c482d0 CreateThread CloseHandle 11038->11039 11039->11038 11040 c219c0 33 API calls 11039->11040 10922 c22630 10923 c251d0 8 API calls 10922->10923 10924 c2265b 10923->10924 9244 c2b531 9245 c2b5ae RegisterServiceCtrlHandlerA 9244->9245 9249 c2b696 9245->9249 9247 c2b8ba 9248 c2b702 SetServiceStatus CreateEventA SetServiceStatus 9250 c2b7a2 9248->9250 9251 c2b7b0 WaitForSingleObject 9248->9251 9249->9247 9249->9248 9250->9251 9251->9251 9252 c2b7dd 9251->9252 9255 c26590 WaitForSingleObject 9252->9255 9256 c265cc SetServiceStatus CloseHandle SetServiceStatus 9255->9256 9256->9247 10810 c3beb0 10811 c3bec8 10810->10811 10816 c240b0 lstrlen 10811->10816 10813 c3bf13 10817 c24090 10813->10817 10816->10813 10820 c26670 10817->10820 10819 c240aa 10821 c2668f 10820->10821 10822 c266f1 10821->10822 10823 c266fe 10821->10823 10824 c414f0 8 API calls 10822->10824 10826 c266fc 10823->10826 10827 c2b9e0 10823->10827 10824->10826 10826->10819 10828 c2b9ff 10827->10828 10829 c3cb30 8 API calls 10828->10829 10830 c2ba40 10829->10830 10830->10826 11044 c44db0 11045 c44ddf 11044->11045 11046 c4fad0 4 API calls 11045->11046 11047 c44e33 11045->11047 11046->11047 9257 c46d32 9258 c46d4b 9257->9258 9263 c22ef0 9258->9263 9262 c46d5f 9270 c33d60 9263->9270 9265 c22f36 9266 c220e0 GetStdHandle GetStdHandle 9265->9266 9267 c22177 GetStdHandle 9266->9267 9268 c2215b 9266->9268 9269 c221bc 9267->9269 9268->9267 9269->9262 9271 c33d84 9270->9271 9272 c33d9f GetProcessHeap HeapAlloc 9270->9272 9271->9272 9272->9265 9273 c3b73a 9274 c3b7d3 9273->9274 9278 c300c1 9274->9278 9482 c30ae8 9274->9482 9622 c43840 9278->9622 9282 c3010b 9283 c43840 2 API calls 9282->9283 9284 c3013a 9283->9284 9285 c25730 2 API calls 9284->9285 9286 c30180 9285->9286 9287 c43840 2 API calls 9286->9287 9288 c301a9 9287->9288 9289 c25730 2 API calls 9288->9289 9290 c301f9 9289->9290 9291 c43840 2 API calls 9290->9291 9292 c30219 9291->9292 9293 c25730 2 API calls 9292->9293 9294 c3027a 9293->9294 9295 c43840 2 API calls 9294->9295 9296 c30292 9295->9296 9297 c43840 2 API calls 9296->9297 9298 c302d0 9297->9298 9630 c3c520 9298->9630 9302 c3036d 9303 c25730 2 API calls 9302->9303 9304 c303c5 GetEnvironmentVariableA 9303->9304 9306 c43840 2 API calls 9304->9306 9307 c30414 CreateMutexA CreateMutexA CreateMutexA 9306->9307 9639 c26460 9307->9639 9309 c304b5 9310 c3060b 9309->9310 9312 c3056a 9309->9312 9313 c3057f GetTickCount 9309->9313 9643 c32490 9310->9643 9312->9313 9314 c30593 9313->9314 9317 c25730 2 API calls 9314->9317 9315 c3061a GetCommandLineA 9319 c30652 9315->9319 9318 c305a9 9317->9318 9321 c43840 2 API calls 9318->9321 9320 c25730 2 API calls 9319->9320 9322 c306e3 9320->9322 9323 c305de 9321->9323 9324 c43840 2 API calls 9322->9324 9323->9310 9325 c30711 9324->9325 9326 c311fc GetCommandLineA 9325->9326 9327 c25730 2 API calls 9325->9327 9742 c3bf70 9326->9742 9330 c3077b 9327->9330 9329 c3121a 9745 c240b0 lstrlen 9329->9745 9332 c43840 2 API calls 9330->9332 9333 c307ff 9332->9333 9334 c30845 9333->9334 9916 c42780 9333->9916 9337 c25730 2 API calls 9334->9337 9340 c3087a 9337->9340 9338 c31257 GetModuleFileNameA 9746 c32290 lstrlen CharLowerBuffA 9338->9746 9342 c43840 2 API calls 9340->9342 9341 c31347 9747 c32290 lstrlen CharLowerBuffA 9341->9747 9343 c308ea 9342->9343 9345 c30931 9343->9345 9347 c42780 ExitProcess 9343->9347 9348 c45860 lstrlen 9345->9348 9346 c313cd 9748 c32290 lstrlen CharLowerBuffA 9346->9748 9347->9345 9349 c3095c 9348->9349 9351 c25730 2 API calls 9349->9351 9354 c30972 9351->9354 9352 c316fa 9749 c272e0 9352->9749 9356 c43840 2 API calls 9354->9356 9355 c31752 9357 c3177a 9355->9357 9358 c42780 ExitProcess 9355->9358 9375 c309f1 9356->9375 9757 c4cbe0 9357->9757 9358->9357 9360 c317df 9853 c23dc0 9360->9853 9361 c3c250 6 API calls 9361->9375 9363 c31805 9857 c25f60 9363->9857 9365 c31406 9365->9352 9941 c37f00 9365->9941 9368 c30bbd Sleep 9370 c2b150 5 API calls 9368->9370 9369 c31523 9947 c260a0 9369->9947 9372 c30bfc 9370->9372 9371 c23dc0 GetSystemTimeAsFileTime 9371->9375 9372->9375 9374 c316cf 9378 c42780 ExitProcess 9374->9378 9375->9361 9375->9368 9375->9371 9377 c30cd0 Sleep 9375->9377 9382 c30cf4 9375->9382 9919 c2b150 9375->9919 9376 c3156e 9376->9374 9379 c25730 2 API calls 9376->9379 9377->9375 9378->9352 9381 c3160a 9379->9381 9380 c3182e 9383 c3192c WSAStartup 9380->9383 9962 c240b0 lstrlen 9381->9962 9385 c3c250 6 API calls 9382->9385 9391 c30d81 9382->9391 9392 c30df4 9382->9392 9386 c31965 9383->9386 9396 c319c2 9383->9396 9385->9382 9387 c25730 2 API calls 9386->9387 9389 c3197b 9387->9389 9388 c3161f MessageBoxA 9390 c31682 9388->9390 9963 c3d060 9389->9963 9395 c43840 2 API calls 9390->9395 9928 c41e90 9391->9928 9394 c2b150 5 API calls 9392->9394 9398 c30e1c 9394->9398 9400 c316a3 9395->9400 9401 c31a85 9396->9401 9968 c424e0 9396->9968 9397 c30da0 Sleep 9397->9382 9397->9392 9402 c31178 9398->9402 9406 c30e9a GetModuleFileNameA SetFileAttributesA CopyFileA 9398->9406 9409 c30e88 9398->9409 9403 c42780 ExitProcess 9400->9403 9410 c31ab4 CloseHandle SetFileAttributesA CopyFileA 9401->9410 9425 c31d89 9401->9425 9405 c438b0 3 API calls 9402->9405 9403->9374 9408 c3119f 9405->9408 9411 c25730 2 API calls 9406->9411 9407 c31a22 9412 c31a43 9407->9412 9417 c42780 ExitProcess 9407->9417 9421 c42780 ExitProcess 9408->9421 9409->9406 9414 c31b15 SetFileAttributesA 9410->9414 9415 c31cf0 9410->9415 9416 c30f2b 9411->9416 9979 c33ec0 9412->9979 9431 c31b60 9414->9431 9419 c26590 WaitForSingleObject 9415->9419 9426 c43840 2 API calls 9416->9426 9417->9412 9423 c31d49 9419->9423 9421->9326 9435 c42780 ExitProcess 9423->9435 9428 c31e13 SetFileAttributesA CopyFileA 9425->9428 9429 c31dce 9425->9429 9861 c3c250 9425->9861 9430 c30f61 9426->9430 9427 c31bf1 9441 c31c4e Sleep 9427->9441 10000 c37110 9427->10000 9433 c31e62 9428->9433 9434 c31e74 SetFileAttributesA 9428->9434 9432 c41e90 9 API calls 9429->9432 9436 c30ff1 9430->9436 9437 c25730 2 API calls 9430->9437 9431->9427 9987 c38200 9431->9987 9438 c31de4 Sleep 9432->9438 9433->9434 9871 c45860 9434->9871 9435->9425 9443 c310d7 SetFileAttributesA 9436->9443 9444 c31085 SetFileAttributesA 9436->9444 9452 c30fab 9437->9452 9438->9425 9438->9428 9449 c31cc6 9441->9449 9451 c310f9 9443->9451 9444->9451 9448 c25730 2 API calls 9454 c31ec7 9448->9454 9450 c438b0 3 API calls 9449->9450 9450->9415 9451->9402 9453 c43840 2 API calls 9452->9453 9453->9436 9455 c25730 2 API calls 9454->9455 9456 c31f1f 9455->9456 9457 c43840 2 API calls 9456->9457 9458 c31f36 9457->9458 9877 c435c0 9458->9877 9460 c31f4d 9461 c43840 2 API calls 9460->9461 9462 c31f6e 9461->9462 9884 c4c080 9462->9884 9465 c25730 2 API calls 9466 c31fa9 9465->9466 9467 c25730 2 API calls 9466->9467 9468 c31fcd 9467->9468 9907 c2bba0 wvsprintfA 9468->9907 9470 c31fed 9471 c43840 2 API calls 9470->9471 9472 c32017 9471->9472 9473 c43840 2 API calls 9472->9473 9474 c32047 9473->9474 9908 c438b0 9474->9908 9476 c32185 CreateThread 9478 c321b3 9476->9478 9479 c321ca 9476->9479 10325 c4fe10 9476->10325 9477 c320a3 9477->9476 9915 c45010 StartServiceCtrlDispatcherA 9478->9915 9481 c321f0 Sleep 9479->9481 9481->9481 9489 c30af0 9482->9489 9483 c3c250 6 API calls 9483->9489 9484 c2b150 5 API calls 9484->9489 9485 c30bbd Sleep 9486 c2b150 5 API calls 9485->9486 9488 c30bfc 9486->9488 9487 c23dc0 GetSystemTimeAsFileTime 9487->9489 9488->9489 9489->9483 9489->9484 9489->9485 9489->9487 9490 c30cd0 Sleep 9489->9490 9491 c30cf4 9489->9491 9490->9489 9492 c3c250 6 API calls 9491->9492 9493 c30d81 9491->9493 9494 c30df4 9491->9494 9492->9491 9495 c41e90 9 API calls 9493->9495 9496 c2b150 5 API calls 9494->9496 9497 c30da0 Sleep 9495->9497 9498 c30e1c 9496->9498 9497->9491 9497->9494 9499 c31178 9498->9499 9501 c30e9a GetModuleFileNameA SetFileAttributesA CopyFileA 9498->9501 9503 c30e88 9498->9503 9500 c438b0 3 API calls 9499->9500 9502 c3119f 9500->9502 9504 c25730 2 API calls 9501->9504 9506 c42780 ExitProcess 9502->9506 9503->9501 9505 c30f2b 9504->9505 9509 c43840 2 API calls 9505->9509 9507 c311fc GetCommandLineA 9506->9507 9508 c3bf70 lstrlen 9507->9508 9510 c3121a 9508->9510 9511 c30f61 9509->9511 10553 c240b0 lstrlen 9510->10553 9512 c25730 2 API calls 9511->9512 9523 c30ff1 9511->9523 9518 c30fab 9512->9518 9513 c310d7 SetFileAttributesA 9517 c310f9 9513->9517 9516 c31085 SetFileAttributesA 9516->9517 9517->9499 9520 c43840 2 API calls 9518->9520 9520->9523 9521 c31257 GetModuleFileNameA 10554 c32290 lstrlen CharLowerBuffA 9521->10554 9523->9513 9523->9516 9524 c31347 10555 c32290 lstrlen CharLowerBuffA 9524->10555 9526 c313cd 10556 c32290 lstrlen CharLowerBuffA 9526->10556 9528 c316fa 9529 c272e0 6 API calls 9528->9529 9530 c31752 9529->9530 9531 c3177a 9530->9531 9532 c42780 ExitProcess 9530->9532 9533 c4cbe0 28 API calls 9531->9533 9532->9531 9534 c317df 9533->9534 9535 c23dc0 GetSystemTimeAsFileTime 9534->9535 9536 c31805 9535->9536 9537 c25f60 lstrlen 9536->9537 9546 c3182e 9537->9546 9538 c31406 9538->9528 9539 c37f00 16 API calls 9538->9539 9540 c31523 9539->9540 9541 c260a0 10 API calls 9540->9541 9543 c3156e 9541->9543 9542 c316cf 9544 c42780 ExitProcess 9542->9544 9543->9542 9545 c25730 2 API calls 9543->9545 9544->9528 9547 c3160a 9545->9547 9548 c3192c WSAStartup 9546->9548 10559 c240b0 lstrlen 9547->10559 9550 c31965 9548->9550 9556 c319c2 9548->9556 9551 c25730 2 API calls 9550->9551 9553 c3197b 9551->9553 9552 c3161f MessageBoxA 9554 c31682 9552->9554 9557 c3d060 2 API calls 9553->9557 9555 c43840 2 API calls 9554->9555 9558 c316a3 9555->9558 9559 c31a85 9556->9559 9561 c424e0 15 API calls 9556->9561 9557->9556 9560 c42780 ExitProcess 9558->9560 9563 c31ab4 CloseHandle SetFileAttributesA CopyFileA 9559->9563 9575 c31d89 9559->9575 9560->9542 9562 c31a22 9561->9562 9564 c31a43 9562->9564 9568 c42780 ExitProcess 9562->9568 9566 c31b15 SetFileAttributesA 9563->9566 9567 c31cf0 9563->9567 9569 c33ec0 2 API calls 9564->9569 9579 c31b60 9566->9579 9570 c26590 WaitForSingleObject 9567->9570 9568->9564 9572 c31a73 9569->9572 9573 c31d49 9570->9573 9572->9559 9583 c42780 ExitProcess 9573->9583 9574 c3c250 6 API calls 9574->9575 9575->9574 9577 c31e13 SetFileAttributesA CopyFileA 9575->9577 9578 c31dce 9575->9578 9576 c31bf1 9587 c31c4e Sleep 9576->9587 9588 c37110 8 API calls 9576->9588 9581 c31e62 9577->9581 9582 c31e74 SetFileAttributesA 9577->9582 9580 c41e90 9 API calls 9578->9580 9579->9576 9585 c38200 9 API calls 9579->9585 9584 c31de4 Sleep 9580->9584 9581->9582 9586 c45860 lstrlen 9582->9586 9583->9575 9584->9575 9584->9577 9585->9576 9589 c31e97 9586->9589 9592 c31cc6 9587->9592 9588->9587 9591 c25730 2 API calls 9589->9591 9594 c31ec7 9591->9594 9593 c438b0 3 API calls 9592->9593 9593->9567 9595 c25730 2 API calls 9594->9595 9596 c31f1f 9595->9596 9597 c43840 2 API calls 9596->9597 9598 c31f36 9597->9598 9599 c435c0 3 API calls 9598->9599 9600 c31f4d 9599->9600 9601 c43840 2 API calls 9600->9601 9602 c31f6e 9601->9602 9603 c4c080 13 API calls 9602->9603 9604 c31f93 9603->9604 9605 c25730 2 API calls 9604->9605 9606 c31fa9 9605->9606 9607 c25730 2 API calls 9606->9607 9608 c31fcd 9607->9608 10557 c2bba0 wvsprintfA 9608->10557 9610 c31fed 9611 c43840 2 API calls 9610->9611 9612 c32017 9611->9612 9613 c43840 2 API calls 9612->9613 9614 c32047 9613->9614 9615 c438b0 3 API calls 9614->9615 9617 c320a3 9615->9617 9616 c32185 CreateThread 9618 c321b3 9616->9618 9619 c321ca 9616->9619 10560 c4fe10 80 API calls 9616->10560 9617->9616 10558 c45010 StartServiceCtrlDispatcherA 9618->10558 9621 c321f0 Sleep 9619->9621 9621->9621 9623 c43863 9622->9623 9624 c3c520 2 API calls 9623->9624 9625 c300d0 9624->9625 9626 c25730 9625->9626 9627 c25776 9626->9627 10011 c36f00 9627->10011 9629 c2580a 9629->9282 9631 c3c543 GetProcessHeap RtlFreeHeap 9630->9631 9632 c3c52f 9630->9632 9633 c3031a 9631->9633 9632->9631 9634 c499b0 GetSystemTime 9633->9634 9635 c49a49 9634->9635 9636 c23dc0 GetSystemTimeAsFileTime 9635->9636 9637 c49b45 GetTickCount 9636->9637 9638 c49b83 9637->9638 9638->9302 9640 c50bf0 9639->9640 9641 c36f00 2 API calls 9640->9641 9642 c50c06 9641->9642 9642->9309 9645 c324c4 9643->9645 9644 c32505 GetVersionExA 10014 c4c640 9644->10014 9645->9644 9649 c3273f 9651 c25730 2 API calls 9649->9651 9653 c3279f 9651->9653 10037 c2b980 9653->10037 9656 c3262c 9658 c326c7 CreateDirectoryA 9656->9658 9657 c43840 2 API calls 9661 c327eb 9657->9661 9659 c25730 2 API calls 9658->9659 9660 c32711 9659->9660 9662 c43840 2 API calls 9660->9662 10040 c43060 9661->10040 9662->9649 9664 c32818 9665 c32823 DeleteFileA RemoveDirectoryA 9664->9665 9666 c328bc 9664->9666 9665->9666 9667 c38090 6 API calls 9666->9667 9668 c328e8 9667->9668 9669 c3291f CreateDirectoryA 9668->9669 9670 c3296a 9669->9670 9671 c45860 lstrlen 9670->9671 9672 c329cb CreateDirectoryA 9671->9672 9673 c25730 2 API calls 9672->9673 9674 c32a0b 9673->9674 9675 c25730 2 API calls 9674->9675 9676 c32a44 9675->9676 9677 c43840 2 API calls 9676->9677 9678 c32a60 9677->9678 9679 c2b980 9 API calls 9678->9679 9680 c32a7c 9679->9680 9681 c43840 2 API calls 9680->9681 9682 c32a96 9681->9682 9683 c43060 5 API calls 9682->9683 9684 c32ad4 9683->9684 9685 c33405 9684->9685 9686 c32af2 9684->9686 9687 c32b54 9684->9687 9691 c45860 lstrlen 9685->9691 9688 c25730 2 API calls 9686->9688 9689 c25730 2 API calls 9687->9689 9690 c32b08 9688->9690 9692 c32b71 9689->9692 10059 c2bba0 wvsprintfA 9690->10059 9694 c33437 SetFileAttributesA 9691->9694 10060 c2bba0 wvsprintfA 9692->10060 9702 c3346e 9694->9702 9695 c32b28 9697 c43840 2 API calls 9695->9697 9699 c32b3a 9697->9699 9698 c32bde 9700 c43840 2 API calls 9698->9700 9701 c32c60 9699->9701 9700->9699 9703 c32c7c CreateDirectoryA 9701->9703 9702->9315 9704 c32cd3 9703->9704 9705 c45860 lstrlen 9704->9705 9706 c32d51 CreateDirectoryA 9705->9706 9707 c25730 2 API calls 9706->9707 9708 c32d99 9707->9708 9709 c25730 2 API calls 9708->9709 9710 c32de9 9709->9710 9711 c43840 2 API calls 9710->9711 9712 c32dfd 9711->9712 9713 c2b980 9 API calls 9712->9713 9714 c32e13 9713->9714 9715 c43840 2 API calls 9714->9715 9716 c32e36 9715->9716 9717 c43060 5 API calls 9716->9717 9718 c32e8f 9717->9718 9719 c32e9a GetTempPathA 9718->9719 9741 c33327 9718->9741 10061 c240b0 lstrlen 9719->10061 9721 c32edc 9722 c45860 lstrlen 9721->9722 9723 c33052 CreateDirectoryA 9722->9723 9724 c25730 2 API calls 9723->9724 9725 c33097 9724->9725 9726 c25730 2 API calls 9725->9726 9727 c330fc 9726->9727 9728 c43840 2 API calls 9727->9728 9729 c33141 9728->9729 9730 c2b980 9 API calls 9729->9730 9731 c33171 9730->9731 9732 c43840 2 API calls 9731->9732 9733 c3319c 9732->9733 9734 c43060 5 API calls 9733->9734 9735 c331c9 9734->9735 9736 c331d4 GetTempPathA 9735->9736 9735->9741 9737 c33226 9736->9737 9738 c25730 2 API calls 9737->9738 9739 c332b1 9738->9739 9740 c43840 2 API calls 9739->9740 9740->9741 9741->9685 10097 c240b0 lstrlen 9742->10097 9744 c3bfcb 9744->9329 9745->9338 9746->9341 9747->9346 9748->9365 9750 c45860 lstrlen 9749->9750 9751 c27353 9750->9751 9752 c25730 2 API calls 9751->9752 9753 c27387 9752->9753 9754 c43840 2 API calls 9753->9754 9755 c2742f CreateFileA 9754->9755 9756 c2747b 9755->9756 9756->9355 9758 c4cc70 9757->9758 9759 c26460 2 API calls 9758->9759 9761 c4ccd6 9759->9761 9760 c4cd3a GetComputerNameA 9762 c4ce1e 9760->9762 9763 c4cd55 9760->9763 9761->9760 9764 c25730 2 API calls 9762->9764 9765 c25730 2 API calls 9763->9765 9767 c4cefb 9764->9767 9766 c4cd6b 9765->9766 9769 c43840 2 API calls 9766->9769 9768 c43840 2 API calls 9767->9768 9770 c4cf70 9768->9770 9769->9762 9771 c2b980 9 API calls 9770->9771 9772 c4cf8c 9771->9772 10098 c24460 9772->10098 9774 c4cfaa 10101 c4db50 9774->10101 9776 c4d075 10139 c240b0 lstrlen 9776->10139 9778 c4d094 10140 c44a90 9778->10140 9782 c4d101 9783 c24460 8 API calls 9782->9783 9784 c4d132 9783->9784 9785 c44a90 9 API calls 9784->9785 9786 c4d16a 9785->9786 9787 c45810 8 API calls 9786->9787 9788 c4d179 9787->9788 9789 c24460 8 API calls 9788->9789 9790 c4d1d2 9789->9790 9791 c44a90 9 API calls 9790->9791 9792 c4d1f7 9791->9792 9793 c45810 8 API calls 9792->9793 9794 c4d206 9793->9794 9795 c24460 8 API calls 9794->9795 9796 c4d22d 9795->9796 9797 c44a90 9 API calls 9796->9797 9798 c4d26f 9797->9798 9799 c45810 8 API calls 9798->9799 9800 c4d27b 9799->9800 9801 c24460 8 API calls 9800->9801 9802 c4d297 9801->9802 9803 c44a90 9 API calls 9802->9803 9804 c4d2dc 9803->9804 9805 c45810 8 API calls 9804->9805 9806 c4d2eb 9805->9806 9807 c24460 8 API calls 9806->9807 9808 c4d30a 9807->9808 9809 c25730 2 API calls 9808->9809 9810 c4d32a 9809->9810 9811 c44a90 9 API calls 9810->9811 9812 c4d345 9811->9812 9813 c45810 8 API calls 9812->9813 9814 c4d354 9813->9814 9815 c43840 2 API calls 9814->9815 9816 c4d381 9815->9816 9817 c24460 8 API calls 9816->9817 9818 c4d3a2 9817->9818 9819 c44a90 9 API calls 9818->9819 9820 c4d3cf 9819->9820 9821 c45810 8 API calls 9820->9821 9822 c4d3db 9821->9822 9823 c24460 8 API calls 9822->9823 9824 c4d3fd 9823->9824 9825 c44a90 9 API calls 9824->9825 9826 c4d42a 9825->9826 9827 c45810 8 API calls 9826->9827 9828 c4d439 9827->9828 9829 c24460 8 API calls 9828->9829 9830 c4d46e 9829->9830 10147 c44c30 9830->10147 9834 c4d4e7 9835 c44a90 9 API calls 9834->9835 9836 c4d4f3 9835->9836 9837 c45810 8 API calls 9836->9837 9838 c4d502 9837->9838 9839 c24460 8 API calls 9838->9839 9840 c4d523 9839->9840 9841 c44a90 9 API calls 9840->9841 9842 c4d56f 9841->9842 9843 c45810 8 API calls 9842->9843 9844 c4d57e 9843->9844 10157 c48ba0 9844->10157 9846 c4d5c0 10183 c26660 9846->10183 9848 c4d5dd 10186 c21890 9848->10186 9850 c4d622 10190 c23a00 9850->10190 9852 c4d666 9852->9360 9854 c23df8 9853->9854 9855 c23e2d GetSystemTimeAsFileTime 9853->9855 9854->9855 9856 c23e79 __aulldiv 9855->9856 9856->9363 9858 c25fb1 9857->9858 10250 c240b0 lstrlen 9858->10250 9860 c25fce 9860->9380 9862 c3c270 CreateToolhelp32Snapshot 9861->9862 9864 c3c4e5 9862->9864 9865 c3c32c Process32First 9862->9865 9864->9425 9866 c3c4ca CloseHandle 9865->9866 9868 c3c387 9865->9868 9866->9864 9869 c3c441 Process32Next 9868->9869 9870 c3c4a2 9868->9870 10251 c32290 lstrlen CharLowerBuffA 9868->10251 9869->9868 9869->9870 9870->9866 9872 c45879 9871->9872 9873 c25f60 lstrlen 9872->9873 9874 c458ab 9873->9874 9875 c31e97 9874->9875 10252 c240b0 lstrlen 9874->10252 9875->9448 9879 c435ef 9877->9879 9878 c4371c CreateFileA 9880 c4376a 9878->9880 9881 c4377b 9878->9881 9879->9878 9880->9460 9882 c26460 2 API calls 9881->9882 9883 c437ac 9882->9883 9883->9460 9885 c4c097 9884->9885 9886 c4c13a 9885->9886 9887 c47040 9 API calls 9885->9887 9888 c25730 2 API calls 9886->9888 9887->9886 9889 c4c16b 9888->9889 9890 c435c0 3 API calls 9889->9890 9891 c4c181 9890->9891 9892 c43840 2 API calls 9891->9892 9893 c4c195 9892->9893 9894 c4c261 9893->9894 9895 c4c1aa Sleep 9893->9895 9897 c31f93 9894->9897 9898 c4c29f 9894->9898 9896 c25730 2 API calls 9895->9896 9899 c4c1e5 9896->9899 9897->9465 10253 c25230 9898->10253 9902 c435c0 3 API calls 9899->9902 9901 c4c2c1 10257 c4e790 CloseHandle 9901->10257 9904 c4c245 9902->9904 9906 c43840 2 API calls 9904->9906 9906->9894 9907->9470 9909 c438d4 9908->9909 9910 c439b5 CreateProcessA 9909->9910 9911 c43a64 9910->9911 9912 c43a1a 9910->9912 9911->9477 9913 c43a26 9912->9913 9914 c43a3a CloseHandle CloseHandle 9912->9914 9913->9914 9914->9911 9915->9479 10265 c2ad30 9916->10265 9918 c42798 ExitProcess 9920 c2b1bb CreateFileA 9919->9920 9921 c2b1a9 9919->9921 9922 c2b1fe 9920->9922 9923 c2b21c GetFileTime 9920->9923 9921->9920 9922->9375 9924 c2b260 CloseHandle 9923->9924 9925 c2b284 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 9923->9925 9924->9375 9926 c2b2ec GetFileSize CloseHandle 9925->9926 9927 c2b34c 9926->9927 9927->9375 9929 c41f1c CreateToolhelp32Snapshot 9928->9929 9931 c41f7f 9929->9931 9932 c41fd4 Process32First 9931->9932 9934 c4228b 9931->9934 9933 c42255 CloseHandle 9932->9933 9935 c41ff4 9932->9935 9933->9934 9934->9397 9937 c421e9 Process32Next 9935->9937 9938 c42098 OpenProcess 9935->9938 9939 c4210a TerminateProcess 9935->9939 9940 c4217a CloseHandle 9935->9940 10267 c32290 lstrlen CharLowerBuffA 9935->10267 9937->9933 9937->9935 9938->9935 9939->9935 9939->9940 9940->9935 9942 c37f27 9941->9942 10268 c4a760 9942->10268 9944 c37f5b 9945 c438b0 3 API calls 9944->9945 9946 c37f73 9945->9946 9946->9369 9948 c260d3 9947->9948 9957 c263c4 9947->9957 10306 c240b0 lstrlen 9948->10306 9950 c26175 Sleep 9951 c261cd 9950->9951 9952 c25730 2 API calls 9951->9952 9953 c261ff 9952->9953 9954 c43840 2 API calls 9953->9954 9955 c2622a FindFirstFileA 9954->9955 9955->9957 9958 c2628f 9955->9958 9957->9376 9959 c2631e DeleteFileA 9958->9959 9960 c26379 FindNextFileA 9958->9960 9959->9958 9960->9958 9961 c26392 FindClose 9960->9961 9961->9957 9962->9388 9964 c26590 WaitForSingleObject 9963->9964 9965 c3d07c 9964->9965 9966 c42780 ExitProcess 9965->9966 9967 c3d0b9 9966->9967 9969 c42500 9968->9969 9970 c45860 lstrlen 9969->9970 9971 c42589 9970->9971 9972 c25730 2 API calls 9971->9972 9973 c4259a 9971->9973 9974 c4260b 9972->9974 9973->9407 9975 c43840 2 API calls 9974->9975 9976 c42665 9975->9976 10307 c4e880 9976->10307 9978 c4268c 9978->9407 9980 c23dc0 GetSystemTimeAsFileTime 9979->9980 9981 c33f0c 9980->9981 9982 c31a73 9981->9982 9983 c23dc0 GetSystemTimeAsFileTime 9981->9983 9982->9401 9984 c33f61 9983->9984 9984->9982 9985 c33fbd Sleep 9984->9985 9986 c23dc0 GetSystemTimeAsFileTime 9985->9986 9986->9984 9988 c38243 OpenSCManagerA 9987->9988 9989 c38218 9987->9989 9990 c38293 CreateServiceA 9988->9990 9996 c384af 9988->9996 9989->9988 9991 c382e0 ChangeServiceConfig2A StartServiceA CloseServiceHandle 9990->9991 9992 c3835b OpenServiceA 9990->9992 9999 c3841f CloseServiceHandle 9991->9999 9995 c383a5 StartServiceA 9992->9995 9992->9999 9997 c38407 CloseServiceHandle 9995->9997 9998 c383ef 9995->9998 9996->9427 9997->9999 9998->9997 9999->9996 10001 c37163 10000->10001 10002 c25730 2 API calls 10001->10002 10003 c371fd RegOpenKeyA 10002->10003 10004 c3723a 10003->10004 10005 c43840 2 API calls 10004->10005 10007 c37263 10005->10007 10006 c372f0 RegCloseKey 10008 c3731c 10006->10008 10007->10006 10324 c240b0 lstrlen 10007->10324 10008->9441 10010 c372cc RegSetValueExA 10010->10006 10012 c36f43 GetProcessHeap RtlAllocateHeap 10011->10012 10013 c36f14 10011->10013 10012->9629 10013->10012 10015 c4c652 AllocateAndInitializeSid 10014->10015 10017 c4c724 CheckTokenMembership 10015->10017 10018 c32591 10015->10018 10019 c4c741 10017->10019 10020 c4c77a FreeSid 10017->10020 10021 c3d0d0 10018->10021 10019->10020 10020->10018 10022 c3d0f1 10021->10022 10023 c25730 2 API calls 10022->10023 10024 c3d179 GetProcAddress 10023->10024 10025 c43840 2 API calls 10024->10025 10028 c3d1c9 10025->10028 10026 c325b3 10026->9649 10029 c38090 GetWindowsDirectoryA 10026->10029 10027 c3d26b GetCurrentProcess 10027->10026 10028->10026 10028->10027 10030 c380d8 10029->10030 10031 c3818b 10030->10031 10032 c25730 2 API calls 10030->10032 10031->9656 10033 c38133 10032->10033 10034 c43840 2 API calls 10033->10034 10035 c3816b 10034->10035 10062 c240b0 lstrlen 10035->10062 10063 c3cbc0 10037->10063 10041 c4306d 10040->10041 10042 c26590 WaitForSingleObject 10041->10042 10043 c4318d 10042->10043 10044 c43205 10043->10044 10045 c43253 CreateFileA 10043->10045 10095 c25070 ReleaseMutex 10044->10095 10047 c4329c 10045->10047 10049 c432b4 10047->10049 10052 c43311 10047->10052 10050 c25070 ReleaseMutex 10049->10050 10051 c432d3 10050->10051 10051->9664 10053 c4341f WriteFile 10052->10053 10053->10052 10054 c43493 CloseHandle 10053->10054 10056 c4350c 10054->10056 10057 c25070 ReleaseMutex 10056->10057 10058 c43532 10057->10058 10058->9664 10059->9695 10060->9698 10061->9721 10062->10031 10064 c3cbe0 10063->10064 10069 c240b0 lstrlen 10064->10069 10066 c3cc38 10070 c33500 10066->10070 10068 c2b999 10068->9657 10069->10066 10071 c33535 10070->10071 10074 c36fe0 10071->10074 10073 c33553 10073->10068 10075 c36ffe 10074->10075 10076 c3701e 10075->10076 10079 c3cb30 10075->10079 10076->10073 10078 c37053 10078->10073 10080 c3cb4d 10079->10080 10081 c3cb74 10080->10081 10083 c50850 10080->10083 10081->10078 10085 c50863 10083->10085 10084 c50a76 10092 c4fad0 10084->10092 10085->10084 10086 c50976 10085->10086 10091 c50a4e 10085->10091 10088 c36f00 2 API calls 10086->10088 10089 c50994 10088->10089 10090 c3c520 2 API calls 10089->10090 10090->10091 10091->10081 10093 c4fae4 GetProcessHeap RtlReAllocateHeap 10092->10093 10094 c4fb06 GetProcessHeap HeapAlloc 10092->10094 10093->10091 10094->10091 10096 c250a2 10095->10096 10096->9664 10097->9744 10099 c21890 8 API calls 10098->10099 10100 c2447b 10099->10100 10100->9774 10102 c4dbe3 10101->10102 10103 c25730 2 API calls 10102->10103 10104 c4dc8b 10103->10104 10105 c43840 2 API calls 10104->10105 10106 c4dcbc GetProcessHeap 10105->10106 10108 c4dd41 10106->10108 10109 c4dd5f 10106->10109 10108->9776 10110 c25730 2 API calls 10109->10110 10111 c4dd86 LoadLibraryA 10110->10111 10113 c43840 2 API calls 10111->10113 10114 c4ddd8 10113->10114 10115 c4dde9 10114->10115 10116 c25730 2 API calls 10114->10116 10115->9776 10117 c4de42 GetProcAddress 10116->10117 10118 c4de75 10117->10118 10119 c43840 2 API calls 10118->10119 10120 c4de87 10119->10120 10121 c4ded7 HeapAlloc 10120->10121 10122 c4deab FreeLibrary 10120->10122 10123 c4df52 GetAdaptersInfo 10121->10123 10124 c4df2b FreeLibrary 10121->10124 10122->9776 10125 c4e074 GetAdaptersInfo 10123->10125 10126 c4dfa6 HeapFree HeapAlloc 10123->10126 10124->9776 10129 c4e097 10125->10129 10138 c4e294 10125->10138 10127 c4e027 FreeLibrary 10126->10127 10128 c4e06a 10126->10128 10127->9776 10128->10125 10131 c25730 2 API calls 10129->10131 10130 c4e637 HeapFree FreeLibrary 10130->9776 10132 c4e0c0 10131->10132 10133 c43840 2 API calls 10132->10133 10134 c4e0e8 10133->10134 10135 c25730 2 API calls 10134->10135 10134->10138 10136 c4e2e0 10135->10136 10137 c43840 2 API calls 10136->10137 10137->10138 10138->10130 10139->9778 10197 c275a0 10140->10197 10143 c45810 10144 c45830 10143->10144 10145 c21890 8 API calls 10144->10145 10146 c4583e 10145->10146 10146->9782 10148 c44c55 10147->10148 10149 c25730 2 API calls 10148->10149 10150 c44cb8 10149->10150 10151 c43840 2 API calls 10150->10151 10152 c44ce3 10151->10152 10153 c3ccf0 10152->10153 10154 c3cd1f 10153->10154 10204 c240b0 lstrlen 10154->10204 10156 c3cd6e 10156->9834 10158 c25730 2 API calls 10157->10158 10159 c48c2e 10158->10159 10160 c25730 2 API calls 10159->10160 10161 c48c48 10160->10161 10162 c25730 2 API calls 10161->10162 10163 c48ca0 10162->10163 10164 c43840 2 API calls 10163->10164 10165 c48cc2 10164->10165 10166 c25730 2 API calls 10165->10166 10167 c48cfe 10166->10167 10168 c43840 2 API calls 10167->10168 10169 c48d7f 10168->10169 10170 c43840 2 API calls 10169->10170 10176 c48dba 10170->10176 10171 c4969c 10172 c43840 2 API calls 10171->10172 10175 c49705 10172->10175 10174 c438a0 9 API calls 10174->10176 10175->9846 10176->10174 10182 c491c9 10176->10182 10205 c25f40 10176->10205 10177 c25f40 8 API calls 10177->10182 10178 c25f40 8 API calls 10180 c495b0 10178->10180 10180->10171 10180->10178 10208 c438a0 10180->10208 10181 c438a0 9 API calls 10181->10182 10182->10171 10182->10177 10182->10180 10182->10181 10184 c36fe0 8 API calls 10183->10184 10185 c26667 10184->10185 10185->9848 10187 c218b6 10186->10187 10188 c36fe0 8 API calls 10187->10188 10189 c218c1 10188->10189 10189->9850 10219 c37330 10190->10219 10192 c23a17 10224 c42300 10192->10224 10194 c23a58 10195 c21890 8 API calls 10194->10195 10196 c23af6 10194->10196 10195->10196 10196->9852 10198 c275ac 10197->10198 10203 c240b0 lstrlen 10198->10203 10200 c275f8 10201 c33500 8 API calls 10200->10201 10202 c27604 10201->10202 10202->10143 10203->10200 10204->10156 10214 c4f640 10205->10214 10207 c25f4e 10207->10176 10209 c4c550 10208->10209 10218 c240b0 lstrlen 10209->10218 10211 c4c5e0 10212 c21890 8 API calls 10211->10212 10213 c4c5ec 10212->10213 10213->10180 10215 c4f672 10214->10215 10216 c36fe0 8 API calls 10215->10216 10217 c4f67d 10216->10217 10217->10207 10218->10211 10228 c22cc0 10219->10228 10221 c373ac 10221->10192 10222 c37342 10222->10221 10232 c47040 10222->10232 10225 c50bf0 10224->10225 10226 c36f00 2 API calls 10225->10226 10227 c50c06 10226->10227 10227->10194 10229 c22cd3 10228->10229 10231 c22d1d 10228->10231 10230 c26660 8 API calls 10229->10230 10230->10231 10231->10222 10233 c4708f 10232->10233 10234 c26590 WaitForSingleObject 10233->10234 10235 c471b9 10234->10235 10236 c25730 2 API calls 10235->10236 10249 c472af 10235->10249 10238 c471ea GetProcAddress 10236->10238 10237 c473a0 CryptGenRandom 10247 c473b7 10237->10247 10241 c25730 2 API calls 10238->10241 10240 c25070 ReleaseMutex 10242 c47485 10240->10242 10243 c47246 10241->10243 10242->10222 10244 c43840 2 API calls 10243->10244 10245 c47260 GetProcAddress 10244->10245 10246 c4728b 10245->10246 10248 c43840 2 API calls 10246->10248 10247->10240 10248->10249 10249->10237 10249->10247 10250->9860 10251->9868 10252->9875 10255 c25251 10253->10255 10254 c25297 10254->9901 10255->10254 10256 c2534e WriteFile 10255->10256 10256->9901 10258 c4e7bf 10257->10258 10261 c21fc0 10258->10261 10262 c25f20 10261->10262 10263 c25f30 10262->10263 10264 c3c520 2 API calls 10262->10264 10263->9897 10264->10263 10266 c2ad43 10265->10266 10266->9918 10267->9935 10269 c42300 2 API calls 10268->10269 10270 c4a7c2 CreateFileA 10269->10270 10271 c4a81d ReadFile 10270->10271 10272 c4aafe 10270->10272 10274 c4a884 CloseHandle 10271->10274 10275 c4a85f 10271->10275 10272->9944 10296 c43570 10274->10296 10275->10274 10277 c4a8ab GetTickCount 10298 c4c870 10277->10298 10279 c4a8c5 10302 c240b0 lstrlen 10279->10302 10281 c4a8d5 10282 c25730 2 API calls 10281->10282 10283 c4a964 10282->10283 10284 c43840 2 API calls 10283->10284 10285 c4a994 10284->10285 10286 c4aa30 CreateFileA 10285->10286 10287 c25730 2 API calls 10285->10287 10286->10272 10290 c4aaaf WriteFile CloseHandle 10286->10290 10289 c4a9c8 10287->10289 10303 c240b0 lstrlen 10289->10303 10290->10272 10292 c4aa0b 10304 c2bba0 wvsprintfA 10292->10304 10294 c4aa16 10295 c43840 2 API calls 10294->10295 10295->10286 10297 c43593 10296->10297 10297->10277 10299 c4c884 10298->10299 10305 c240b0 lstrlen 10299->10305 10301 c4c8c2 10301->10279 10302->10281 10303->10292 10304->10294 10305->10301 10306->9950 10308 c4e88d 10307->10308 10309 c26660 8 API calls 10308->10309 10310 c4e91b 10309->10310 10311 c26590 WaitForSingleObject 10310->10311 10312 c4e940 CreateFileA 10311->10312 10313 c4e97c 10312->10313 10319 c4e996 10312->10319 10315 c25070 ReleaseMutex 10313->10315 10314 c4e9b0 ReadFile 10314->10319 10316 c4eb8f 10315->10316 10316->9978 10317 c50850 8 API calls 10317->10319 10318 c4eb56 CloseHandle 10318->10313 10319->10314 10319->10317 10319->10318 10320 c21890 8 API calls 10319->10320 10321 c4eac6 CloseHandle 10319->10321 10320->10319 10322 c25070 ReleaseMutex 10321->10322 10323 c4eaf9 10322->10323 10323->9978 10324->10010 10326 c4fe46 10325->10326 10327 c499b0 3 API calls 10326->10327 10328 c4ff15 10327->10328 10329 c260a0 10 API calls 10328->10329 10330 c4ff81 10329->10330 10331 c45860 lstrlen 10330->10331 10332 c4ff97 10331->10332 10333 c25730 2 API calls 10332->10333 10334 c4ffcc 10333->10334 10335 c43840 2 API calls 10334->10335 10339 c50021 10335->10339 10336 c23dc0 GetSystemTimeAsFileTime 10336->10339 10337 c26660 8 API calls 10338 c5074e Sleep 10337->10338 10338->10339 10339->10336 10339->10337 10341 c3c250 6 API calls 10339->10341 10342 c438b0 3 API calls 10339->10342 10343 c4c080 13 API calls 10339->10343 10345 c25730 2 API calls 10339->10345 10357 c497d0 10339->10357 10368 c401b0 10339->10368 10468 c33880 10339->10468 10341->10339 10342->10339 10343->10339 10345->10339 10347 c35520 51 API calls 10356 c50220 10347->10356 10348 c42950 33 API calls 10348->10356 10349 c2b980 9 API calls 10349->10356 10350 c43840 GetProcessHeap RtlFreeHeap 10350->10356 10351 c24460 8 API calls 10351->10356 10353 c45810 8 API calls 10353->10356 10354 c25730 GetProcessHeap RtlAllocateHeap 10354->10356 10355 c401b0 21 API calls 10355->10356 10356->10339 10356->10347 10356->10348 10356->10349 10356->10350 10356->10351 10356->10353 10356->10354 10356->10355 10476 c35b60 10356->10476 10358 c25730 2 API calls 10357->10358 10359 c49826 10358->10359 10360 c25730 2 API calls 10359->10360 10361 c49841 10360->10361 10482 c377f0 10361->10482 10364 c43840 2 API calls 10365 c49877 10364->10365 10366 c43840 2 API calls 10365->10366 10367 c498b6 10366->10367 10367->10339 10369 c40218 10368->10369 10370 c23dc0 GetSystemTimeAsFileTime 10369->10370 10371 c402bf 10370->10371 10488 c240b0 lstrlen 10371->10488 10373 c40342 10373->10356 10375 c404d8 10490 c240b0 lstrlen 10375->10490 10376 c40300 10376->10373 10489 c240b0 lstrlen 10376->10489 10378 c404e6 10379 c25730 2 API calls 10378->10379 10439 c40b61 10378->10439 10380 c405a8 10379->10380 10381 c2b980 9 API calls 10380->10381 10382 c405c0 10381->10382 10383 c43840 2 API calls 10382->10383 10384 c405d2 10383->10384 10385 c40779 10384->10385 10387 c25730 2 API calls 10384->10387 10386 c44a90 9 API calls 10385->10386 10388 c407b9 10386->10388 10389 c40637 10387->10389 10390 c45810 8 API calls 10388->10390 10391 c275a0 9 API calls 10389->10391 10392 c407c5 10390->10392 10395 c40669 10391->10395 10393 c25730 2 API calls 10392->10393 10394 c407e6 10393->10394 10396 c44a90 9 API calls 10394->10396 10399 c43840 2 API calls 10395->10399 10397 c40810 10396->10397 10398 c45810 8 API calls 10397->10398 10400 c4081c 10398->10400 10402 c406aa 10399->10402 10401 c43840 2 API calls 10400->10401 10403 c4084e 10401->10403 10402->10385 10491 c46b70 10402->10491 10405 c44a90 9 API calls 10403->10405 10407 c4086d 10405->10407 10406 c40712 10408 c25730 2 API calls 10406->10408 10409 c45810 8 API calls 10407->10409 10410 c4074f 10408->10410 10414 c4087c 10409->10414 10411 c2b980 9 API calls 10410->10411 10412 c40767 10411->10412 10413 c43840 2 API calls 10412->10413 10413->10385 10418 c25730 2 API calls 10414->10418 10452 c40a19 10414->10452 10415 c25730 2 API calls 10416 c40a59 10415->10416 10417 c44a90 9 API calls 10416->10417 10419 c40a77 10417->10419 10420 c408e7 10418->10420 10421 c45810 8 API calls 10419->10421 10422 c44a90 9 API calls 10420->10422 10426 c40a83 10421->10426 10423 c40902 10422->10423 10424 c45810 8 API calls 10423->10424 10425 c40911 10424->10425 10428 c25730 2 API calls 10425->10428 10427 c43840 2 API calls 10426->10427 10429 c40acb 10427->10429 10430 c40932 10428->10430 10431 c40b1c socket 10429->10431 10433 c45810 8 API calls 10429->10433 10432 c43840 2 API calls 10430->10432 10431->10439 10440 c40bb0 10431->10440 10434 c40993 10432->10434 10433->10431 10495 c2bba0 wvsprintfA 10434->10495 10435 c40c70 gethostbyname 10436 c40c99 inet_ntoa inet_addr htons connect 10435->10436 10435->10439 10442 c40d44 10436->10442 10447 c40d6d 10436->10447 10439->10356 10440->10435 10441 c40c45 setsockopt 10440->10441 10441->10435 10442->10356 10443 c409d1 10444 c43840 2 API calls 10443->10444 10445 c409e3 10444->10445 10446 c44a90 9 API calls 10445->10446 10448 c40a0a 10446->10448 10449 c40d93 send 10447->10449 10450 c45810 8 API calls 10448->10450 10451 c40daf 10449->10451 10450->10452 10453 c40db3 10451->10453 10454 c26660 8 API calls 10451->10454 10452->10415 10453->10356 10467 c40deb 10454->10467 10455 c40e5b recv 10456 c41275 closesocket 10455->10456 10455->10467 10456->10439 10458 c412ae 10456->10458 10459 c46b70 8 API calls 10458->10459 10459->10439 10460 c50850 8 API calls 10460->10467 10461 c21890 8 API calls 10461->10467 10462 c41265 10462->10456 10463 c43840 GetProcessHeap RtlFreeHeap 10463->10467 10465 c25730 GetProcessHeap RtlAllocateHeap 10465->10467 10466 c275a0 9 API calls 10466->10467 10467->10455 10467->10456 10467->10460 10467->10461 10467->10462 10467->10463 10467->10465 10467->10466 10496 c22bb0 10467->10496 10500 c476d0 10467->10500 10469 c33898 10468->10469 10471 c33aa3 10469->10471 10472 c33958 10469->10472 10474 c33a31 10469->10474 10470 c3398b DeleteFileA 10470->10472 10471->10339 10472->10470 10472->10474 10518 c2bab0 10472->10518 10474->10471 10523 c49bd0 10474->10523 10477 c35b8e 10476->10477 10478 c42300 2 API calls 10477->10478 10479 c35bf4 10478->10479 10480 c21890 8 API calls 10479->10480 10481 c35cf8 10479->10481 10480->10481 10481->10356 10483 c3781d 10482->10483 10484 c25730 2 API calls 10483->10484 10485 c37b66 10484->10485 10486 c43840 2 API calls 10485->10486 10487 c37b95 10486->10487 10487->10364 10488->10376 10489->10375 10490->10378 10492 c46b8d 10491->10492 10514 c414f0 10492->10514 10494 c46c57 10494->10406 10495->10443 10497 c22bd3 10496->10497 10499 c22c20 10496->10499 10498 c23dc0 GetSystemTimeAsFileTime 10497->10498 10498->10499 10499->10467 10501 c25730 2 API calls 10500->10501 10502 c4770d 10501->10502 10503 c275a0 9 API calls 10502->10503 10504 c47742 10503->10504 10505 c43840 2 API calls 10504->10505 10507 c47786 10505->10507 10506 c477b9 10506->10467 10507->10506 10508 c25730 2 API calls 10507->10508 10509 c47816 10508->10509 10510 c275a0 9 API calls 10509->10510 10511 c47867 10510->10511 10512 c43840 2 API calls 10511->10512 10513 c47898 10512->10513 10513->10467 10515 c4152d 10514->10515 10516 c50850 8 API calls 10515->10516 10517 c415b9 10516->10517 10517->10494 10527 c4c460 10518->10527 10520 c2bacd 10531 c22870 10520->10531 10525 c49c07 10523->10525 10524 c49c9b 10524->10474 10525->10524 10546 c21060 10525->10546 10528 c4c478 10527->10528 10529 c50850 8 API calls 10528->10529 10530 c4c4b6 10529->10530 10530->10520 10533 c2287e 10531->10533 10532 c22890 10532->10472 10533->10532 10535 c24e20 10533->10535 10538 c48a40 10535->10538 10537 c24e2f 10537->10532 10539 c48a52 10538->10539 10542 c2baf0 10539->10542 10541 c48a68 10541->10537 10543 c2bafb 10542->10543 10544 c3cb30 8 API calls 10543->10544 10545 c2bb3c 10544->10545 10545->10541 10549 c44d20 10546->10549 10550 c44d4b 10549->10550 10551 c414f0 8 API calls 10550->10551 10552 c2106e 10551->10552 10552->10524 10553->9521 10554->9524 10555->9526 10556->9538 10557->9610 10558->9619 10559->9552 11048 c403b9 11049 c403c0 11048->11049 11143 c240b0 lstrlen 11049->11143 11051 c404d8 11144 c240b0 lstrlen 11051->11144 11053 c404e6 11054 c25730 2 API calls 11053->11054 11114 c40b61 11053->11114 11055 c405a8 11054->11055 11056 c2b980 9 API calls 11055->11056 11057 c405c0 11056->11057 11058 c43840 2 API calls 11057->11058 11059 c405d2 11058->11059 11060 c40779 11059->11060 11062 c25730 2 API calls 11059->11062 11061 c44a90 9 API calls 11060->11061 11063 c407b9 11061->11063 11064 c40637 11062->11064 11065 c45810 8 API calls 11063->11065 11066 c275a0 9 API calls 11064->11066 11067 c407c5 11065->11067 11070 c40669 11066->11070 11068 c25730 2 API calls 11067->11068 11069 c407e6 11068->11069 11071 c44a90 9 API calls 11069->11071 11074 c43840 2 API calls 11070->11074 11072 c40810 11071->11072 11073 c45810 8 API calls 11072->11073 11075 c4081c 11073->11075 11077 c406aa 11074->11077 11076 c43840 2 API calls 11075->11076 11078 c4084e 11076->11078 11077->11060 11079 c46b70 8 API calls 11077->11079 11080 c44a90 9 API calls 11078->11080 11081 c40712 11079->11081 11082 c4086d 11080->11082 11083 c25730 2 API calls 11081->11083 11084 c45810 8 API calls 11082->11084 11085 c4074f 11083->11085 11089 c4087c 11084->11089 11086 c2b980 9 API calls 11085->11086 11087 c40767 11086->11087 11088 c43840 2 API calls 11087->11088 11088->11060 11093 c25730 2 API calls 11089->11093 11127 c40a19 11089->11127 11090 c25730 2 API calls 11091 c40a59 11090->11091 11092 c44a90 9 API calls 11091->11092 11094 c40a77 11092->11094 11095 c408e7 11093->11095 11096 c45810 8 API calls 11094->11096 11097 c44a90 9 API calls 11095->11097 11101 c40a83 11096->11101 11098 c40902 11097->11098 11099 c45810 8 API calls 11098->11099 11100 c40911 11099->11100 11103 c25730 2 API calls 11100->11103 11102 c43840 2 API calls 11101->11102 11104 c40acb 11102->11104 11105 c40932 11103->11105 11106 c40b1c socket 11104->11106 11108 c45810 8 API calls 11104->11108 11107 c43840 2 API calls 11105->11107 11106->11114 11115 c40bb0 11106->11115 11109 c40993 11107->11109 11108->11106 11145 c2bba0 wvsprintfA 11109->11145 11110 c40c70 gethostbyname 11111 c40c99 inet_ntoa inet_addr htons connect 11110->11111 11110->11114 11117 c40d44 11111->11117 11122 c40d6d 11111->11122 11115->11110 11116 c40c45 setsockopt 11115->11116 11116->11110 11118 c409d1 11119 c43840 2 API calls 11118->11119 11120 c409e3 11119->11120 11121 c44a90 9 API calls 11120->11121 11123 c40a0a 11121->11123 11124 c40d93 send 11122->11124 11125 c45810 8 API calls 11123->11125 11126 c40daf 11124->11126 11125->11127 11128 c40db3 11126->11128 11129 c26660 8 API calls 11126->11129 11127->11090 11136 c40deb 11129->11136 11130 c40e5b recv 11131 c41275 closesocket 11130->11131 11130->11136 11131->11114 11133 c412ae 11131->11133 11132 c22bb0 GetSystemTimeAsFileTime 11132->11136 11134 c46b70 8 API calls 11133->11134 11134->11114 11135 c50850 8 API calls 11135->11136 11136->11130 11136->11131 11136->11132 11136->11135 11137 c21890 8 API calls 11136->11137 11138 c41265 11136->11138 11139 c43840 GetProcessHeap RtlFreeHeap 11136->11139 11140 c476d0 9 API calls 11136->11140 11141 c25730 GetProcessHeap RtlAllocateHeap 11136->11141 11142 c275a0 9 API calls 11136->11142 11137->11136 11138->11131 11139->11136 11140->11136 11141->11136 11142->11136 11143->11051 11144->11053 11145->11118 11568 c4e139 11569 c4e140 11568->11569 11571 c25730 2 API calls 11569->11571 11574 c4e294 11569->11574 11570 c4e637 HeapFree FreeLibrary 11572 c4e2e0 11571->11572 11573 c43840 2 API calls 11572->11573 11573->11574 11574->11570

                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                              Function 00C300C1 Relevance: 63.1, APIs: 29, Strings: 6, Instructions: 1866sleepfilesynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 00C303F9
                                                                                                                                                                                                              • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00C30427
                                                                                                                                                                                                              • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00C3046A
                                                                                                                                                                                                              • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00C30496
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00C30587
                                                                                                                                                                                                              • GetCommandLineA.KERNEL32 ref: 00C3063E
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 00C30CDF
                                                                                                                                                                                                                • Part of subcall function 00C2B150: CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00C2B1D7
                                                                                                                                                                                                              • Sleep.KERNEL32(00000D05), ref: 00C30BD2
                                                                                                                                                                                                                • Part of subcall function 00C2B150: GetFileTime.KERNEL32(00000000,?,?,?), ref: 00C2B256
                                                                                                                                                                                                                • Part of subcall function 00C2B150: CloseHandle.KERNEL32(00000000), ref: 00C2B26B
                                                                                                                                                                                                              • Sleep.KERNEL32(000007D0), ref: 00C30DD1
                                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00C30EA8
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00C30ECC
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000000), ref: 00C30EFE
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000002), ref: 00C310B9
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00C310E7
                                                                                                                                                                                                              • GetCommandLineA.KERNEL32(00000000), ref: 00C3120E
                                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 00C3132B
                                                                                                                                                                                                                • Part of subcall function 00C32290: lstrlen.KERNEL32(00C3C420,00000000,?,00C3C420,?), ref: 00C322A2
                                                                                                                                                                                                                • Part of subcall function 00C32290: CharLowerBuffA.USER32(00C3C420,00000000,?,00C3C420,?), ref: 00C322BE
                                                                                                                                                                                                              • MessageBoxA.USER32(00000000,00000004,00000005,00000000), ref: 00C31663
                                                                                                                                                                                                                • Part of subcall function 00C272E0: CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00C27452
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000130), ref: 00C31AC5
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00C31AE1
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000000), ref: 00C31B07
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000002), ref: 00C31B43
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 00C31CAC
                                                                                                                                                                                                              • WSAStartup.WS2_32(00000202,?), ref: 00C31947
                                                                                                                                                                                                                • Part of subcall function 00C42780: ExitProcess.KERNEL32 ref: 00C427B0
                                                                                                                                                                                                              • Sleep.KERNEL32(000007D0), ref: 00C31DFC
                                                                                                                                                                                                              • SetFileAttributesA.KERNELBASE(C:\daxjjwrfm\tkjnbticppc.exe,00000080), ref: 00C31E27
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,C:\daxjjwrfm\tkjnbticppc.exe,00000000), ref: 00C31E45
                                                                                                                                                                                                              • SetFileAttributesA.KERNELBASE(C:\daxjjwrfm\tkjnbticppc.exe,00000002), ref: 00C31E7B
                                                                                                                                                                                                                • Part of subcall function 00C4C080: Sleep.KERNELBASE(000003E8,00000000,?,00C5007D,?,00000708,00000000), ref: 00C4C1C3
                                                                                                                                                                                                                • Part of subcall function 00C2BBA0: wvsprintfA.USER32(00000000,?,00C409D1), ref: 00C2BBEB
                                                                                                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_0002FE10,00000000,00000000,00000000), ref: 00C32194
                                                                                                                                                                                                              • Sleep.KERNEL32(0000C350), ref: 00C32210
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$AttributesSleep$Create$CopyMutex$CloseCommandHandleLineModuleName$BuffCharCountEnvironmentExitLowerMessageProcessStartupThreadTickTimeVariablelstrlenwvsprintf
                                                                                                                                                                                                              • String ID: C:\Windows\system32\config\systemprofile$C:\daxjjwrfm\tkjnbticppc.exe$Xzc$\t3$mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"$x7;C
                                                                                                                                                                                                              • API String ID: 1500488346-931268914
                                                                                                                                                                                                              • Opcode ID: bfa1866decec43ed1839ecc4d26e4dfb72930590f78d31762b6c203c5e691129
                                                                                                                                                                                                              • Instruction ID: 077a0fb35463b659fe0fb9efd544b7dc238cb0e9adabdb7f67757dfceb2c390e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bfa1866decec43ed1839ecc4d26e4dfb72930590f78d31762b6c203c5e691129
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CC03D279A103009FD728DF66ED92B6E37F5F754302F14812AE802E72B1EBB49981DB51
                                                                                                                                                                                                              Function 00C32490 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 918fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 438 c32490-c324da call c4ee20 441 c324e6-c324f9 438->441 442 c324dc 438->442 443 c32505-c325ca GetVersionExA call c4c640 call c3d0d0 441->443 444 c324fb 441->444 442->441 449 c325d0-c325e0 443->449 450 c32758-c3277f 443->450 444->443 451 c325e2-c325fb 449->451 452 c32616 449->452 453 c32789-c327c9 call c25730 call c2b980 450->453 454 c3260a-c32614 451->454 455 c325fd-c32608 451->455 456 c32620-c32640 call c38090 452->456 467 c327e3-c3281d call c43840 call c4e820 call c47610 call c43060 453->467 468 c327cb-c327db 453->468 454->456 455->456 462 c32642-c3264f 456->462 463 c32656-c326a8 456->463 462->463 465 c326b4-c3270c call c450d0 CreateDirectoryA call c25730 463->465 466 c326aa 463->466 476 c32711-c32756 call c450d0 call c43840 465->476 466->465 486 c32823-c328b7 DeleteFileA RemoveDirectoryA 467->486 487 c328bc-c3297f call c38090 call c450d0 CreateDirectoryA call c4f8f0 467->487 468->467 469 c327dd 468->469 469->467 476->453 486->487 494 c32981-c329a5 487->494 495 c329ab-c32ad9 call c45860 CreateDirectoryA call c25730 call c450d0 call c25730 call c43840 call c2b980 call c43840 call c4e820 call c47610 call c43060 487->495 494->495 516 c33405-c3340a 495->516 517 c32adf-c32af0 495->517 520 c3340d-c3341f 516->520 518 c32af2-c32b4f call c25730 call c2bba0 call c43840 517->518 519 c32b54-c32b99 call c25730 517->519 547 c32c24-c32c5e 518->547 530 c32b9b-c32ba8 519->530 531 c32baa-c32bc6 519->531 522 c33421 520->522 523 c3342b-c3346c call c45860 SetFileAttributesA 520->523 522->523 534 c334b3-c334de call c49e60 523->534 535 c3346e-c3347d 523->535 532 c32bcc-c32c1e call c2bba0 call c43840 530->532 531->532 532->547 545 c334e0 534->545 546 c334ea-c334f5 call c50840 534->546 536 c33496-c334ad 535->536 537 c3347f-c33494 535->537 536->534 537->534 545->546 550 c32c60 547->550 551 c32c6a-c32cfe call c450d0 CreateDirectoryA call c4f8f0 547->551 550->551 557 c32d00-c32d16 551->557 558 c32d24-c32d3e 551->558 559 c32d45-c32e4e call c45860 CreateDirectoryA call c25730 call c450d0 call c25730 call c43840 call c2b980 call c43840 557->559 560 c32d18-c32d22 557->560 558->559 575 c32e50-c32e68 559->575 576 c32e6f-c32e94 call c4e820 call c47610 call c43060 559->576 560->559 575->576 583 c32e9a-c32f08 GetTempPathA call c240b0 576->583 584 c333ee 576->584 588 c33000-c33015 583->588 589 c32f0e 583->589 586 c333f1-c33403 584->586 586->520 590 c33017-c33024 588->590 591 c3302b-c330bb call c4f8f0 call c45860 CreateDirectoryA call c25730 588->591 592 c32f13-c32f2a 589->592 590->591 610 c330cd-c3312d call c450d0 call c25730 591->610 611 c330bd-c330c8 591->611 594 c32f41-c32f49 592->594 595 c32f2c-c32f3b 592->595 597 c32f80-c32fca 594->597 598 c32f4b-c32f5b 594->598 595->594 599 c32ff6 597->599 600 c32fcc-c32fe8 597->600 602 c32f75-c32f79 598->602 603 c32f5d-c32f6d 598->603 599->588 600->599 606 c32fea-c32ff0 600->606 602->592 605 c32f7b 602->605 603->602 604 c32f6f 603->604 604->602 605->588 606->599 616 c33139-c331ce call c43840 call c2b980 call c43840 call c4e820 call c47610 call c43060 610->616 617 c3312f 610->617 611->610 630 c333c7-c333ec 616->630 631 c331d4-c3324d GetTempPathA call c4f8f0 616->631 617->616 630->586 634 c332a5-c332d2 call c25730 631->634 635 c3324f-c33289 631->635 639 c332d4-c332e7 634->639 640 c332ee-c33352 call c450d0 call c43840 634->640 635->634 636 c3328b-c3329e 635->636 636->634 639->640 645 c333a3-c333c0 640->645 646 c33354-c3337f 640->646 645->630 647 c33381-c33395 646->647 648 c33397-c333a1 646->648 647->630 648->630
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetVersionExA.KERNEL32(00C6EAC8), ref: 00C32572
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00C326EF
                                                                                                                                                                                                              • DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00C32843
                                                                                                                                                                                                              • RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00C3289F
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00C3293F
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C329E1
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00C32CAC
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00C32D6E
                                                                                                                                                                                                              • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00C32EB0
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00C3307B
                                                                                                                                                                                                              • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00C331FA
                                                                                                                                                                                                              • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 00C3344D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                              • String ID: C:\Windows\system32\config\systemprofile$C:\daxjjwrfm\$Wq0O$\
                                                                                                                                                                                                              • API String ID: 1691758827-4043548932
                                                                                                                                                                                                              • Opcode ID: 423a2ad53e62a85eed542210bdffa514d8648a1bcc1b12f29134d5b2202ea202
                                                                                                                                                                                                              • Instruction ID: 317744578c7124649babfebf0156ee9f210039166b148b18708adbd75975f653
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 423a2ad53e62a85eed542210bdffa514d8648a1bcc1b12f29134d5b2202ea202
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 91820579910305CBC728DF66EC927BE37B5FB54312F00812AE502E72B1EBB49A85DB51
                                                                                                                                                                                                              Function 00C401B0 Relevance: 27.3, APIs: 10, Strings: 5, Instructions: 1003COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 649 c401b0-c40321 call c4ee20 call c23dc0 call c240b0 656 c40323-c40337 649->656 657 c4033d-c40340 649->657 656->657 658 c40350-c4036d 657->658 659 c40342-c4034f call c50840 657->659 661 c4039f-c403a4 658->661 662 c4036f-c40388 658->662 665 c404bd-c404f1 call c240b0 * 2 661->665 666 c403aa-c403b7 661->666 662->661 664 c4038a-c40399 662->664 664->661 678 c412e6-c412f4 call c50840 665->678 679 c404f7-c4055b call c450d0 665->679 668 c403c0-c403f9 666->668 670 c4041a-c4045e 668->670 671 c403fb-c40413 668->671 672 c40460-c40468 670->672 673 c404a2-c404b7 670->673 671->668 675 c40415 671->675 676 c40470-c404a0 672->676 673->665 675->665 676->673 676->676 684 c4059c-c405e5 call c25730 call c2b980 call c43840 679->684 685 c4055d-c40588 679->685 693 c405e7-c405f7 684->693 694 c4060f-c4061b call c4e820 684->694 685->684 686 c4058a-c40596 685->686 686->684 695 c40605 693->695 696 c405f9-c40603 693->696 699 c40621-c40651 call c25730 694->699 700 c4079a-c40895 call c44a90 call c45810 call c50840 call c25730 call c44a90 call c45810 call c50840 call c43840 call c44a90 call c45810 call c50840 694->700 695->694 696->694 706 c40653 699->706 707 c4065d-c40696 call c275a0 call c3bc70 call c34010 699->707 750 c40a39-c40aa3 call c25730 call c44a90 call c45810 call c50840 700->750 751 c4089b-c408b0 700->751 706->707 721 c406a2-c406c5 call c43840 707->721 722 c40698 707->722 728 c40790 721->728 729 c406cb-c40728 call c43ae0 call c46b70 721->729 722->721 728->700 739 c40743-c40789 call c25730 call c2b980 call c43840 729->739 740 c4072a-c4073d 729->740 739->728 740->739 770 c40aa5-c40aaf 750->770 771 c40ab1-c40abd 750->771 752 c408b2-c408cc 751->752 753 c408ce-c408d5 751->753 757 c408db-c40956 call c25730 call c44a90 call c45810 call c50840 call c25730 752->757 753->757 781 c40958-c40977 757->781 782 c4098b-c40a33 call c43840 call c4e820 call c2bba0 call c43840 call c44a90 call c45810 call c50840 757->782 773 c40ac3-c40ae0 call c43840 770->773 771->773 779 c40ae2-c40aee 773->779 780 c40b0f-c40b11 773->780 786 c40b05 779->786 787 c40af0-c40b03 779->787 783 c40b13-c40b17 call c45810 780->783 784 c40b1c-c40b5f socket 780->784 781->782 788 c40979-c40985 781->788 782->750 783->784 791 c40bb0-c40bd3 784->791 792 c40b61-c40b77 784->792 786->780 787->780 788->782 795 c40c70-c40c93 gethostbyname 791->795 796 c40bd9-c40c00 791->796 792->678 794 c40b7d-c40b95 792->794 794->678 799 c40b9b-c40baf call c50840 794->799 795->678 797 c40c99-c40cbc 795->797 800 c40c31-c40c3e 796->800 801 c40c02-c40c1a 796->801 802 c40ce0-c40d42 inet_ntoa inet_addr htons connect 797->802 803 c40cbe-c40cd9 797->803 808 c40c45-c40c69 setsockopt 800->808 806 c40c23-c40c2f 801->806 807 c40c1c-c40c21 801->807 809 c40d44-c40d6c call c50840 802->809 810 c40d6d-c40db1 call c4e820 call c47610 send call c4e820 802->810 803->802 806->808 807->808 808->795 828 c40dd2-c40e13 call c26660 810->828 829 c40db3-c40dd1 call c50840 810->829 835 c40e15-c40e1a 828->835 836 c40e21-c40e38 828->836 835->836 837 c40e3a-c40e55 836->837 838 c40e5b-c40e8f recv 836->838 837->838 839 c41275-c412ac closesocket 838->839 840 c40e95-c40ea7 call c22bb0 838->840 842 c412dc 839->842 843 c412ae-c412d6 call c43ae0 call c46b70 839->843 840->839 846 c40ead-c40ed5 840->846 842->678 843->842 848 c40ed7-c40ee9 846->848 849 c40eeb-c40ef7 846->849 852 c40efd-c40f21 call c4e820 call c50850 call c4e860 848->852 849->852 852->839 859 c40f27-c40f71 call c21890 852->859 862 c40f73 859->862 863 c40f7d-c40f7f 859->863 862->863 864 c40f85-c41009 call c25730 call c275a0 call c3bc70 call c34010 863->864 865 c411df-c411f6 863->865 884 c41026-c41045 call c43840 864->884 885 c4100b-c41020 864->885 866 c41205-c41228 865->866 867 c411f8-c41203 call c4e820 865->867 870 c41256-c41260 866->870 871 c4122a-c41240 call c4e820 866->871 867->839 867->866 870->836 878 c41265-c41270 871->878 879 c41242-c4124f 871->879 878->839 879->870 888 c411d5 884->888 889 c4104b-c41079 884->889 885->884 888->865 890 c410b6-c410d4 call c476d0 889->890 891 c4107b-c410a0 889->891 895 c410d6-c410e2 890->895 896 c410e8-c410ea 890->896 891->890 892 c410a2-c410af 891->892 892->890 895->896 897 c410f0-c41120 call c25730 896->897 898 c411cb 896->898 901 c41141-c41199 call c275a0 call c3bc70 call c34010 call c43840 897->901 902 c41122-c4113b 897->902 898->888 911 c411b6-c411b8 901->911 912 c4119b-c411af 901->912 902->901 911->839 913 c411be-c411c1 911->913 912->911 913->898
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Time$FileSystem__aulldivlstrlen
                                                                                                                                                                                                              • String ID: !|/0$'~(-$/$SbJ$*c
                                                                                                                                                                                                              • API String ID: 3360920532-2717626210
                                                                                                                                                                                                              • Opcode ID: 332f87a046acaefafea2d889fca75a49c4a7e0fdcc786d6ed59b5de9483456b4
                                                                                                                                                                                                              • Instruction ID: dfa10ebe3438498c19c92959dc8a19895aaf9ca40f3c90d4e8906108ca772e63
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 332f87a046acaefafea2d889fca75a49c4a7e0fdcc786d6ed59b5de9483456b4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BB9235799103008BC728DF66FC9277E77B5FB94312F14812AE806E72A1EBB05985DF91
                                                                                                                                                                                                              Function 00C4DB50 Relevance: 25.2, APIs: 13, Strings: 1, Instructions: 662memorylibraryloaderCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 914 c4db50-c4dbe1 915 c4dbe3-c4dbed 914->915 916 c4dbef 914->916 917 c4dbf9-c4dc73 915->917 916->917 918 c4dc75 917->918 919 c4dc7f-c4dcd1 call c25730 call c4f8f0 call c43840 917->919 918->919 926 c4dd01-c4dd14 919->926 927 c4dcd3-c4dcff 919->927 928 c4dd1a-c4dd3f GetProcessHeap 926->928 927->928 929 c4dd41-c4dd5e 928->929 930 c4dd5f-c4dda1 call c25730 928->930 933 c4dda3-c4ddb4 930->933 934 c4ddba-c4dde7 LoadLibraryA call c43840 930->934 933->934 937 c4de04-c4de73 call c25730 GetProcAddress 934->937 938 c4dde9-c4de03 934->938 941 c4de75 937->941 942 c4de7f-c4dea9 call c43840 937->942 941->942 945 c4ded7-c4df29 HeapAlloc 942->945 946 c4deab-c4ded6 FreeLibrary 942->946 947 c4df52-c4dfa0 GetAdaptersInfo 945->947 948 c4df2b-c4df51 FreeLibrary 945->948 949 c4e074-c4e091 GetAdaptersInfo 947->949 950 c4dfa6-c4e025 HeapFree HeapAlloc 947->950 953 c4e097-c4e10c call c25730 call c4f8f0 call c43840 949->953 954 c4e61a-c4e631 949->954 951 c4e027-c4e069 FreeLibrary 950->951 952 c4e06a 950->952 952->949 962 c4e132-c4e137 953->962 963 c4e10e-c4e126 953->963 955 c4e637-c4e6a5 HeapFree FreeLibrary 954->955 964 c4e140-c4e150 962->964 963->962 965 c4e128 963->965 966 c4e152 964->966 967 c4e15c-c4e183 call c41d60 964->967 965->962 966->967 970 c4e26e-c4e282 967->970 971 c4e189-c4e198 967->971 972 c4e28c-c4e28e 970->972 973 c4e1a6 971->973 974 c4e19a-c4e1a4 971->974 972->964 975 c4e294-c4e297 972->975 976 c4e1b0-c4e1d9 call c41d60 973->976 974->976 977 c4e5da-c4e618 call c49e60 975->977 981 c4e249-c4e25a 976->981 982 c4e1db-c4e225 976->982 977->955 981->970 986 c4e25c-c4e268 981->986 984 c4e227-c4e247 982->984 985 c4e29c-c4e2fe call c25730 982->985 984->972 989 c4e300-c4e316 985->989 990 c4e318-c4e32a 985->990 986->970 991 c4e331-c4e386 call c4f8f0 call c43840 989->991 990->991 996 c4e38c 991->996 997 c4e54d-c4e599 991->997 1000 c4e390-c4e3d4 996->1000 998 c4e5ab-c4e5d7 call c49e60 997->998 999 c4e59b-c4e5a5 997->999 998->977 999->998 1002 c4e3d6-c4e3e2 1000->1002 1003 c4e3e8-c4e3fe 1000->1003 1002->1003 1004 c4e400-c4e41d 1003->1004 1005 c4e429-c4e48f 1003->1005 1004->1005 1007 c4e41f 1004->1007 1008 c4e496-c4e4b9 1005->1008 1009 c4e491-c4e495 1005->1009 1007->1005 1010 c4e4d7-c4e4f9 1008->1010 1011 c4e4bb-c4e4d1 1008->1011 1009->1008 1012 c4e533-c4e544 1010->1012 1013 c4e4fb-c4e517 1010->1013 1011->1010 1012->1000 1015 c4e54a 1012->1015 1013->1012 1014 c4e519-c4e52c 1013->1014 1014->1012 1015->997
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000001), ref: 00C4DD1A
                                                                                                                                                                                                              • LoadLibraryA.KERNELBASE(00000000,?,?,?,?,?,?,00000000,00000001), ref: 00C4DDBB
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00C4DE59
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00C4DEBE
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(00C4D075,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C4DF03
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00C4DF39
                                                                                                                                                                                                              • GetAdaptersInfo.IPHLPAPI(00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00C4DF73
                                                                                                                                                                                                              • HeapFree.KERNEL32(00C4D075,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C4DFDD
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(00C4D075,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C4E00E
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00C4E035
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FreeHeapLibrary$Alloc$AdaptersAddressInfoLoadProcProcess
                                                                                                                                                                                                              • String ID: J)6v
                                                                                                                                                                                                              • API String ID: 994048614-3523960662
                                                                                                                                                                                                              • Opcode ID: 01665d16fe3bacc3c398f9d1e18b6b68a546cf0f3d92764385b4fac2fc2d0130
                                                                                                                                                                                                              • Instruction ID: e948f89dc613950046296855054a1077f596e18076b9adae9f56958223aeecb8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 01665d16fe3bacc3c398f9d1e18b6b68a546cf0f3d92764385b4fac2fc2d0130
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BC52C179A107018FD328DF6AEC9277E77F5F758312B14422AE806E72B0E7B49981CB51
                                                                                                                                                                                                              Function 00C260A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186filesleepCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1036 c260a0-c260cd 1037 c260d3-c26245 call c43570 call c240b0 Sleep call c450d0 call c25730 call c450d0 call c43840 1036->1037 1038 c26401-c26404 1036->1038 1051 c26266-c26289 FindFirstFileA 1037->1051 1052 c26247-c2625f 1037->1052 1053 c263c4-c26400 call c49e60 1051->1053 1054 c2628f-c262a7 1051->1054 1052->1051 1053->1038 1056 c262e2-c262ec 1054->1056 1057 c262a9-c262c5 1054->1057 1059 c262f0-c2634c call c450d0 DeleteFileA 1056->1059 1057->1056 1058 c262c7-c262db 1057->1058 1058->1056 1063 c26363-c26373 1059->1063 1064 c2634e-c26361 1059->1064 1065 c26379-c2638c FindNextFileA 1063->1065 1064->1065 1065->1059 1066 c26392-c263bd FindClose 1065->1066 1066->1053
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00C240B0: lstrlen.KERNEL32(?,?,00C26175,?,00000104,?,00000001), ref: 00C240DD
                                                                                                                                                                                                              • Sleep.KERNELBASE(000003E8,00000001), ref: 00C26189
                                                                                                                                                                                                              • FindFirstFileA.KERNELBASE(?,?), ref: 00C26274
                                                                                                                                                                                                              • DeleteFileA.KERNELBASE(?), ref: 00C2632E
                                                                                                                                                                                                              • FindNextFileA.KERNELBASE(?,?), ref: 00C26384
                                                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 00C263AA
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FileFind$CloseDeleteFirstNextSleeplstrlen
                                                                                                                                                                                                              • String ID: xsh
                                                                                                                                                                                                              • API String ID: 3282225923-3135071692
                                                                                                                                                                                                              • Opcode ID: 1de1caba434abc4a2d694002ad040cc33c3f308d8e67ce99063921ff02beb893
                                                                                                                                                                                                              • Instruction ID: 278b63c5cd9da670589dcce28745b520fb6a0bd96edcd45e1e38d129e6a88377
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1de1caba434abc4a2d694002ad040cc33c3f308d8e67ce99063921ff02beb893
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4E81D0799003149FC738CF66FD82BAE77B5FB94311F14815AE506A72B0EBB09A81CB51
                                                                                                                                                                                                              Function 00C4FE10 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 573COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1111 c4fe10-c4ff2a call c4ee20 * 2 call c499b0 1118 c4ff67-c5003c call c21800 call c260a0 call c45860 call c25730 call c450d0 call c43840 1111->1118 1119 c4ff2c-c4ff44 1111->1119 1133 c50040-c500ca call c23dc0 call c4c080 1118->1133 1119->1118 1120 c4ff46-c4ff61 1119->1120 1120->1118 1138 c50730-c50772 call c26660 Sleep 1133->1138 1139 c500d0 1133->1139 1146 c50794-c507b8 call c33880 call c3c250 1138->1146 1147 c50774-c5078e 1138->1147 1141 c500d2-c500d4 1139->1141 1142 c500da-c50117 1139->1142 1141->1138 1141->1142 1144 c50136 1142->1144 1145 c50119-c50134 1142->1145 1148 c50140-c50161 call c41a30 1144->1148 1145->1148 1156 c507bd-c507c2 1146->1156 1147->1146 1154 c50163-c50182 1148->1154 1155 c50188-c5019e 1148->1155 1154->1155 1157 c501a0-c501af 1155->1157 1158 c501bb-c501df 1155->1158 1162 c507c4-c507de 1156->1162 1163 c5081d-c50831 1156->1163 1157->1158 1159 c501b1 1157->1159 1160 c501e1-c50208 1158->1160 1161 c5020a 1158->1161 1159->1158 1164 c50214-c50217 1160->1164 1161->1164 1165 c507e0-c5080d call c438b0 1162->1165 1166 c50813 1162->1166 1163->1133 1167 c50716-c50726 1164->1167 1168 c5021d 1164->1168 1165->1166 1166->1163 1167->1138 1170 c50225-c50275 call c23dc0 1168->1170 1174 c50277-c5028b 1170->1174 1175 c5028d-c5029d 1170->1175 1176 c502a3-c502b2 1174->1176 1175->1176 1177 c5033e-c5035c 1176->1177 1178 c502b8 1176->1178 1179 c5035e-c50363 1177->1179 1180 c50369-c503ad call c497d0 call c25730 call c401b0 1177->1180 1181 c502bf-c5032c call c4c080 1178->1181 1182 c502ba-c502bd 1178->1182 1179->1180 1191 c503b2-c5043a call c43840 call c35520 call c42950 1180->1191 1181->1177 1187 c5032e-c50338 1181->1187 1182->1177 1182->1181 1187->1177 1198 c50677 1191->1198 1199 c50440-c50480 call c25730 1191->1199 1201 c5067c-c5068a 1198->1201 1205 c50482 1199->1205 1206 c5048c-c504fb call c2b980 call c43840 call c45810 1199->1206 1203 c5068c-c50698 1201->1203 1204 c5069e-c506cf call c49e60 1201->1204 1203->1204 1211 c506d1-c506e4 1204->1211 1212 c506eb-c506ed 1204->1212 1205->1206 1221 c504fd-c5050c 1206->1221 1222 c5051c-c50593 call c24460 call c35b60 call c45810 call c50840 call c25730 1206->1222 1211->1212 1214 c5070c 1212->1214 1215 c506ef-c50704 1212->1215 1214->1167 1216 c50220 1215->1216 1217 c5070a 1215->1217 1216->1170 1217->1167 1221->1222 1224 c5050e-c50515 1221->1224 1234 c50595 1222->1234 1235 c5059f-c5061d call c401b0 call c43840 call c35520 1222->1235 1224->1222 1234->1235 1242 c50641-c5064d 1235->1242 1243 c5061f-c5063f 1235->1243 1244 c50653-c50675 call c42950 1242->1244 1243->1244 1244->1201
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe", xrefs: 00C507EA
                                                                                                                                                                                                              • C:\daxjjwrfm\tkjnbticppc.exe, xrefs: 00C507EF
                                                                                                                                                                                                              • 1BJ, xrefs: 00C50617
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountSystemTickTime
                                                                                                                                                                                                              • String ID: 1BJ$C:\daxjjwrfm\tkjnbticppc.exe$mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"
                                                                                                                                                                                                              • API String ID: 2164215191-4072432483
                                                                                                                                                                                                              • Opcode ID: d7f176e43f62f33eaff8720c1da9f683f8072a78fd3040f58e684628b31bee44
                                                                                                                                                                                                              • Instruction ID: 3327bf09f8e074901b3137805bc160355f68a3070a00c1ab61fb8d1cc3f9e0d8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d7f176e43f62f33eaff8720c1da9f683f8072a78fd3040f58e684628b31bee44
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DE42E279910300CBC728CF66EC92BAE37B1FB54312F14412AE806E72B1EBB49985DF55
                                                                                                                                                                                                              Function 00C403B9 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 420COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1247 c403b9 1248 c403c0-c403f9 1247->1248 1249 c4041a-c4045e 1248->1249 1250 c403fb-c40413 1248->1250 1251 c40460-c40468 1249->1251 1252 c404a2-c404b7 1249->1252 1250->1248 1253 c40415 1250->1253 1255 c40470-c404a0 1251->1255 1254 c404bd-c404f1 call c240b0 * 2 1252->1254 1253->1254 1260 c412e6-c412f4 call c50840 1254->1260 1261 c404f7-c4055b call c450d0 1254->1261 1255->1252 1255->1255 1266 c4059c-c405e5 call c25730 call c2b980 call c43840 1261->1266 1267 c4055d-c40588 1261->1267 1275 c405e7-c405f7 1266->1275 1276 c4060f-c4061b call c4e820 1266->1276 1267->1266 1268 c4058a-c40596 1267->1268 1268->1266 1277 c40605 1275->1277 1278 c405f9-c40603 1275->1278 1281 c40621-c40651 call c25730 1276->1281 1282 c4079a-c40895 call c44a90 call c45810 call c50840 call c25730 call c44a90 call c45810 call c50840 call c43840 call c44a90 call c45810 call c50840 1276->1282 1277->1276 1278->1276 1288 c40653 1281->1288 1289 c4065d-c40696 call c275a0 call c3bc70 call c34010 1281->1289 1332 c40a39-c40aa3 call c25730 call c44a90 call c45810 call c50840 1282->1332 1333 c4089b-c408b0 1282->1333 1288->1289 1303 c406a2-c406c5 call c43840 1289->1303 1304 c40698 1289->1304 1310 c40790 1303->1310 1311 c406cb-c40728 call c43ae0 call c46b70 1303->1311 1304->1303 1310->1282 1321 c40743-c40789 call c25730 call c2b980 call c43840 1311->1321 1322 c4072a-c4073d 1311->1322 1321->1310 1322->1321 1352 c40aa5-c40aaf 1332->1352 1353 c40ab1-c40abd 1332->1353 1334 c408b2-c408cc 1333->1334 1335 c408ce-c408d5 1333->1335 1339 c408db-c40956 call c25730 call c44a90 call c45810 call c50840 call c25730 1334->1339 1335->1339 1363 c40958-c40977 1339->1363 1364 c4098b-c40a33 call c43840 call c4e820 call c2bba0 call c43840 call c44a90 call c45810 call c50840 1339->1364 1355 c40ac3-c40ae0 call c43840 1352->1355 1353->1355 1361 c40ae2-c40aee 1355->1361 1362 c40b0f-c40b11 1355->1362 1368 c40b05 1361->1368 1369 c40af0-c40b03 1361->1369 1365 c40b13-c40b17 call c45810 1362->1365 1366 c40b1c-c40b5f socket 1362->1366 1363->1364 1370 c40979-c40985 1363->1370 1364->1332 1365->1366 1373 c40bb0-c40bd3 1366->1373 1374 c40b61-c40b77 1366->1374 1368->1362 1369->1362 1370->1364 1377 c40c70-c40c93 gethostbyname 1373->1377 1378 c40bd9-c40c00 1373->1378 1374->1260 1376 c40b7d-c40b95 1374->1376 1376->1260 1381 c40b9b-c40baf call c50840 1376->1381 1377->1260 1379 c40c99-c40cbc 1377->1379 1382 c40c31-c40c3e 1378->1382 1383 c40c02-c40c1a 1378->1383 1384 c40ce0-c40d42 inet_ntoa inet_addr htons connect 1379->1384 1385 c40cbe-c40cd9 1379->1385 1390 c40c45-c40c69 setsockopt 1382->1390 1388 c40c23-c40c2f 1383->1388 1389 c40c1c-c40c21 1383->1389 1391 c40d44-c40d6c call c50840 1384->1391 1392 c40d6d-c40db1 call c4e820 call c47610 send call c4e820 1384->1392 1385->1384 1388->1390 1389->1390 1390->1377 1410 c40dd2-c40e13 call c26660 1392->1410 1411 c40db3-c40dd1 call c50840 1392->1411 1417 c40e15-c40e1a 1410->1417 1418 c40e21-c40e38 1410->1418 1417->1418 1419 c40e3a-c40e55 1418->1419 1420 c40e5b-c40e8f recv 1418->1420 1419->1420 1421 c41275-c412ac closesocket 1420->1421 1422 c40e95-c40ea7 call c22bb0 1420->1422 1424 c412dc 1421->1424 1425 c412ae-c412d6 call c43ae0 call c46b70 1421->1425 1422->1421 1428 c40ead-c40ed5 1422->1428 1424->1260 1425->1424 1430 c40ed7-c40ee9 1428->1430 1431 c40eeb-c40ef7 1428->1431 1434 c40efd-c40f21 call c4e820 call c50850 call c4e860 1430->1434 1431->1434 1434->1421 1441 c40f27-c40f71 call c21890 1434->1441 1444 c40f73 1441->1444 1445 c40f7d-c40f7f 1441->1445 1444->1445 1446 c40f85-c41009 call c25730 call c275a0 call c3bc70 call c34010 1445->1446 1447 c411df-c411f6 1445->1447 1466 c41026-c41045 call c43840 1446->1466 1467 c4100b-c41020 1446->1467 1448 c41205-c41228 1447->1448 1449 c411f8-c41203 call c4e820 1447->1449 1452 c41256-c41260 1448->1452 1453 c4122a-c41240 call c4e820 1448->1453 1449->1421 1449->1448 1452->1418 1460 c41265-c41270 1453->1460 1461 c41242-c4124f 1453->1461 1460->1421 1461->1452 1470 c411d5 1466->1470 1471 c4104b-c41079 1466->1471 1467->1466 1470->1447 1472 c410b6-c410d4 call c476d0 1471->1472 1473 c4107b-c410a0 1471->1473 1477 c410d6-c410e2 1472->1477 1478 c410e8-c410ea 1472->1478 1473->1472 1474 c410a2-c410af 1473->1474 1474->1472 1477->1478 1479 c410f0-c41120 call c25730 1478->1479 1480 c411cb 1478->1480 1483 c41141-c41199 call c275a0 call c3bc70 call c34010 call c43840 1479->1483 1484 c41122-c4113b 1479->1484 1480->1470 1493 c411b6-c411b8 1483->1493 1494 c4119b-c411af 1483->1494 1484->1483 1493->1421 1495 c411be-c411c1 1493->1495 1494->1493 1495->1480
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: !|/0$/
                                                                                                                                                                                                              • API String ID: 0-3339975929
                                                                                                                                                                                                              • Opcode ID: 209cbbc81b236738233f946c0316a92cdc280870560d7d159244ad41577566fa
                                                                                                                                                                                                              • Instruction ID: f9f0bbc937961a0a6efce8afaa14585f164f02b57a0e9e8c9731bd67e3228c2c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 209cbbc81b236738233f946c0316a92cdc280870560d7d159244ad41577566fa
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A50237799103108BC728DF65FC92BBE77B5FB50302F14812AE506A72E2EBB05A85DF51
                                                                                                                                                                                                              Function 00C43060 Relevance: 4.8, APIs: 3, Instructions: 287fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1496 c43060-c43093 call c3cb00 1499 c43095 1496->1499 1500 c4309f-c430b9 1496->1500 1499->1500 1501 c430ee-c4311f 1500->1501 1502 c430bb-c430cd 1500->1502 1504 c43144-c4315f 1501->1504 1505 c43121-c4312d 1501->1505 1502->1501 1503 c430cf-c430e8 1502->1503 1503->1501 1508 c43161-c4317b 1504->1508 1509 c43182-c431af call c26590 1504->1509 1506 c43136-c4313d 1505->1506 1507 c4312f-c43134 1505->1507 1506->1504 1507->1504 1508->1509 1512 c431b1-c431bb 1509->1512 1513 c431bd-c431d9 1509->1513 1514 c431fb-c43203 1512->1514 1513->1514 1515 c431db-c431f5 1513->1515 1516 c43205-c4323f call c25070 1514->1516 1517 c43253-c4329a CreateFileA 1514->1517 1515->1514 1525 c43241 1516->1525 1526 c4324b-c43252 1516->1526 1519 c432b0-c432b2 1517->1519 1520 c4329c-c432a9 1517->1520 1522 c432b4-c432f4 call c25070 1519->1522 1523 c43311-c4333f 1519->1523 1520->1519 1531 c432f6-c43303 1522->1531 1532 c43309-c43310 1522->1532 1524 c43340-c43350 1523->1524 1529 c43352-c43381 1524->1529 1530 c43383-c43394 1524->1530 1525->1526 1533 c4339e-c433b9 1529->1533 1530->1533 1531->1532 1534 c433c5-c433f7 call c41a30 1533->1534 1535 c433bb 1533->1535 1538 c4340d-c4348d call c2aed0 WriteFile 1534->1538 1539 c433f9-c43406 1534->1539 1535->1534 1538->1524 1542 c43493-c434be 1538->1542 1539->1538 1543 c434c0-c434ca 1542->1543 1544 c434cc 1542->1544 1545 c434d6-c4350a CloseHandle 1543->1545 1544->1545 1546 c43527-c43546 call c25070 1545->1546 1547 c4350c-c43521 1545->1547 1547->1546
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?), ref: 00C4327A
                                                                                                                                                                                                              • WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 00C4344B
                                                                                                                                                                                                              • CloseHandle.KERNELBASE(?), ref: 00C434DA
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1065093856-0
                                                                                                                                                                                                              • Opcode ID: 085a44ffb076184de5b005fb834d64481f60989b7a7834a563c7ee1b8d9cce52
                                                                                                                                                                                                              • Instruction ID: ded5e631bd5c2a1e5aa089fb3dc7cb30ecacb789a2c95bf1a3c18118f074a48d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 085a44ffb076184de5b005fb834d64481f60989b7a7834a563c7ee1b8d9cce52
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E6C1D079A10750DBC724CF6AFC9176E33F5F794326B10811AE802DB2B5E7B49A82DB40
                                                                                                                                                                                                              Function 00C47040 Relevance: 4.8, APIs: 3, Instructions: 256libraryloaderencryptionCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1550 c47040-c4708d 1551 c4709d 1550->1551 1552 c4708f-c4709b 1550->1552 1553 c470a7-c470d9 1551->1553 1552->1553 1554 c470ee-c47121 1553->1554 1555 c470db-c470ec 1553->1555 1556 c4712d-c47172 1554->1556 1557 c47123 1554->1557 1555->1556 1558 c47174-c4718c 1556->1558 1559 c471ae-c471cd call c26590 1556->1559 1557->1556 1561 c4718e-c47199 1558->1561 1562 c4719b-c471a8 1558->1562 1564 c47386-c4739e 1559->1564 1565 c471d3-c4720f call c25730 1559->1565 1561->1559 1562->1559 1567 c473e0-c473fa 1564->1567 1568 c473a0-c473b5 CryptGenRandom 1564->1568 1573 c47211 1565->1573 1574 c4721b-c47289 GetProcAddress call c25730 call c43840 GetProcAddress 1565->1574 1571 c473fc-c47457 call c3cc70 * 4 1567->1571 1572 c4745e-c474a5 call c25070 1567->1572 1568->1567 1570 c473b7-c473da 1568->1570 1570->1567 1571->1572 1582 c474a7-c474b4 1572->1582 1583 c474bb-c474c1 1572->1583 1573->1574 1589 c47297-c472a2 1574->1589 1590 c4728b-c47295 1574->1590 1582->1583 1592 c472a7-c472d8 call c43840 1589->1592 1590->1592 1596 c472da-c472e1 1592->1596 1597 c4733b-c47351 1592->1597 1596->1597 1598 c472e3-c472eb 1596->1598 1599 c47353 1597->1599 1600 c4735d-c47367 1597->1600 1602 c472f2-c472f4 1598->1602 1599->1600 1601 c47371-c47383 1600->1601 1601->1564 1602->1597 1603 c472f6-c47339 1602->1603 1603->1601
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(75B30000,00000000), ref: 00C47229
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(75B30000,00000000), ref: 00C47275
                                                                                                                                                                                                              • CryptGenRandom.ADVAPI32(00000000,00000004,00000000,00000000), ref: 00C473AD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AddressProc$CryptRandom
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 646182245-0
                                                                                                                                                                                                              • Opcode ID: fb2fd2b4387557f972c45cae2adae5369798f5cd3c6e0d3b08f0521f08eda4e6
                                                                                                                                                                                                              • Instruction ID: 11b6f318b96e7d4ea2f7d50da576ccf7a8b9223669576600805f128da2e0b8d3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fb2fd2b4387557f972c45cae2adae5369798f5cd3c6e0d3b08f0521f08eda4e6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9FB1EF79A14301CFDB28CF66FD9276E37B4F754312B10422AE902EB6B0E7B49981DB45
                                                                                                                                                                                                              Function 00C4CBE0 Relevance: 2.1, APIs: 1, Instructions: 633COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetComputerNameA.KERNEL32(?,00000010), ref: 00C4CD44
                                                                                                                                                                                                                • Part of subcall function 00C240B0: lstrlen.KERNEL32(?,?,00C26175,?,00000104,?,00000001), ref: 00C240DD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ComputerNamelstrlen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4141851928-0
                                                                                                                                                                                                              • Opcode ID: b888bbdd4a66559bc8100da321cf8c7fe95dfd22355603ed26d1f80c9209b7a9
                                                                                                                                                                                                              • Instruction ID: 48587ec9f71e1f2f15e6b9d5fbfcfeabcc5a62c33c2c2ebb3c97066b749a8c3e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b888bbdd4a66559bc8100da321cf8c7fe95dfd22355603ed26d1f80c9209b7a9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3952E275910214CBC728DF66FC92BBE73B5FB54301F50812AE406A72B1EBB0AE84DB55
                                                                                                                                                                                                              Function 00C45010 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00C4503B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CtrlDispatcherServiceStart
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3789849863-0
                                                                                                                                                                                                              • Opcode ID: 660a246fb99b392578c5ff52bc281b36a4f3bbea229ffe86debfec820afa6a85
                                                                                                                                                                                                              • Instruction ID: 1e1d85db7a7a150e82ce13949132d92f1aa153f90563c93a39902f00cbb1df2e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 660a246fb99b392578c5ff52bc281b36a4f3bbea229ffe86debfec820afa6a85
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D0F034B1D142098BCB14DF6AEC407AE7BB8FB14315B0049AAE809E3325F7B59600CF81
                                                                                                                                                                                                              Function 00C2B531 Relevance: 12.2, APIs: 8, Instructions: 188registrysynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1016 c2b531-c2b5ac 1017 c2b5b8-c2b609 1016->1017 1018 c2b5ae 1016->1018 1019 c2b615-c2b630 1017->1019 1020 c2b60b 1017->1020 1018->1017 1021 c2b632-c2b646 1019->1021 1022 c2b65e-c2b694 RegisterServiceCtrlHandlerA 1019->1022 1020->1019 1023 c2b654 1021->1023 1024 c2b648-c2b652 1021->1024 1025 c2b696-c2b6a3 1022->1025 1026 c2b6aa-c2b6b0 1022->1026 1023->1022 1024->1022 1025->1026 1027 c2b6b6-c2b6ee 1026->1027 1028 c2b8ba-c2b8d6 1026->1028 1029 c2b702-c2b7a0 SetServiceStatus CreateEventA SetServiceStatus 1027->1029 1030 c2b6f0-c2b6fc 1027->1030 1031 c2b7a2-c2b7ac 1029->1031 1032 c2b7b0-c2b7db WaitForSingleObject 1029->1032 1030->1029 1031->1032 1032->1032 1033 c2b7dd-c2b8b0 call c26590 SetServiceStatus CloseHandle SetServiceStatus 1032->1033 1033->1028
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegisterServiceCtrlHandlerA.ADVAPI32(0138E380,Function_00014290,E4E0A1C8,?,00000072), ref: 00C2B669
                                                                                                                                                                                                              • SetServiceStatus.SECHOST(01399E70,00C667EC,?,00000072), ref: 00C2B70D
                                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000072), ref: 00C2B721
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(01399E70,00C667EC,?,00000072), ref: 00C2B771
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000228,00001388,?,00000072), ref: 00C2B7D0
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(01399E70,00C667EC,00000072), ref: 00C2B82A
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000228), ref: 00C2B841
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(01399E70,00C667EC), ref: 00C2B8AA
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3399922960-0
                                                                                                                                                                                                              • Opcode ID: 47b708a90b18336683586aa5225080a29007cc1f06000f25ce098f9fecc4b0e2
                                                                                                                                                                                                              • Instruction ID: 39497ead33e6e4802ce9c20eaccc27a0af33e47a3622822900902169b136cbb2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 47b708a90b18336683586aa5225080a29007cc1f06000f25ce098f9fecc4b0e2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E981AB795113118FC328CF27FD95B2E3BA5F798706B00852AE452DB6B4EBF49885CB40
                                                                                                                                                                                                              Function 00C3C250 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148processCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1067 c3c250-c3c26e 1068 c3c270-c3c28e 1067->1068 1069 c3c29a-c3c2d0 1067->1069 1068->1069 1072 c3c290 1068->1072 1070 c3c2e2-c3c326 CreateToolhelp32Snapshot 1069->1070 1071 c3c2d2-c3c2dd 1069->1071 1073 c3c4e5-c3c51e call c49e60 1070->1073 1074 c3c32c-c3c381 Process32First 1070->1074 1071->1070 1072->1069 1076 c3c387 1074->1076 1077 c3c4ca-c3c4db CloseHandle 1074->1077 1079 c3c390-c3c3d5 call c4f8f0 1076->1079 1077->1073 1082 c3c3d7-c3c3e7 1079->1082 1083 c3c3e9-c3c40d 1079->1083 1084 c3c414-c3c43f call c32290 call c41d60 1082->1084 1083->1084 1089 c3c441-c3c49c Process32Next 1084->1089 1090 c3c4a4-c3c4c3 1084->1090 1089->1079 1091 c3c4a2 1089->1091 1090->1077 1091->1077
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?), ref: 00C3C312
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,?), ref: 00C3C35A
                                                                                                                                                                                                              • Process32Next.KERNEL32(00000000,00000128), ref: 00C3C478
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Process32$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                                                                              • String ID: 7<.s
                                                                                                                                                                                                              • API String ID: 1238713047-2747411034
                                                                                                                                                                                                              • Opcode ID: 3da0f80bc4fb5c16b44cef3e8104415cb39337c8694f1a792a6ec139368b19d9
                                                                                                                                                                                                              • Instruction ID: 58d835429f4d65483950b2ba509ebf8f5a9f623c4108c45134b984bd6b832ff1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3da0f80bc4fb5c16b44cef3e8104415cb39337c8694f1a792a6ec139368b19d9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 04510579510311CBD724CF22FD957BD37B5FB44305F10811AE946AA6B4EBB48980CF91
                                                                                                                                                                                                              Function 00C438B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116processCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1092 c438b0-c438d2 1093 c438d4-c438e1 1092->1093 1094 c438e7-c438ff 1092->1094 1093->1094 1095 c43901-c43926 1094->1095 1096 c4392b-c43937 1094->1096 1095->1096 1097 c43976-c43992 call c49e60 1096->1097 1098 c43939-c43961 1096->1098 1102 c43994-c439a1 1097->1102 1103 c439a8-c43a18 call c49e60 CreateProcessA 1097->1103 1098->1097 1100 c43963-c43970 1098->1100 1100->1097 1102->1103 1106 c43a64-c43a79 1103->1106 1107 c43a1a-c43a24 1103->1107 1110 c43a7f-c43a94 1106->1110 1108 c43a26-c43a33 1107->1108 1109 c43a3a-c43a62 CloseHandle * 2 1107->1109 1108->1109 1109->1110
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateProcessA.KERNELBASE(?,00C507F9,00000000,00000000,00000000,00000008,00000000,00000000,?,?,?,?,?,?,?,00000001), ref: 00C43A0F
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00C507F9,?,?,?,?,00000001), ref: 00C43A3E
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00000001), ref: 00C43A52
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                              • String ID: D
                                                                                                                                                                                                              • API String ID: 2922976086-2746444292
                                                                                                                                                                                                              • Opcode ID: 52bda8bfd04f5d61deb6ccad09312c75790ffd7867c6425c7350b1143a0ecdf3
                                                                                                                                                                                                              • Instruction ID: e740a4b00dc3a4562ba6c729d6c39bb989ccd98d4d4b6cb8efe2c1346cc09aa2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 52bda8bfd04f5d61deb6ccad09312c75790ffd7867c6425c7350b1143a0ecdf3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3D4113759003049FD728DF5AEC91B6D37B5FB98712F10401AE506EB2B4E7F0A985CB85
                                                                                                                                                                                                              Function 00C4C640 Relevance: 4.6, APIs: 3, Instructions: 120memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1604 c4c640-c4c650 1605 c4c664-c4c6b9 1604->1605 1606 c4c652-c4c65e 1604->1606 1607 c4c6ea-c4c71e AllocateAndInitializeSid 1605->1607 1608 c4c6bb-c4c6d7 1605->1608 1606->1605 1611 c4c724-c4c73f CheckTokenMembership 1607->1611 1612 c4c7f1-c4c819 1607->1612 1609 c4c6e0 1608->1609 1610 c4c6d9-c4c6de 1608->1610 1609->1607 1610->1607 1613 c4c741-c4c76e 1611->1613 1614 c4c77a-c4c7ad FreeSid 1611->1614 1613->1614 1615 c4c770 1613->1615 1614->1612 1616 c4c7af-c4c7c3 1614->1616 1615->1614 1617 c4c7c5-c4c7d7 1616->1617 1618 c4c7d9-c4c7eb 1616->1618 1617->1612 1618->1612
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • AllocateAndInitializeSid.ADVAPI32(00C32591,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00C32591), ref: 00C4C701
                                                                                                                                                                                                              • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 00C4C737
                                                                                                                                                                                                              • FreeSid.ADVAPI32(?), ref: 00C4C798
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3429775523-0
                                                                                                                                                                                                              • Opcode ID: 181c7dbd49076b4492166b90e72d74321cb8e9fa808bf23bbce3ca0e1c99850c
                                                                                                                                                                                                              • Instruction ID: 98a5a68fe2e052a049d4e952aee6325c16b6f27a1d05ba9b1e95cf12741299ef
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 181c7dbd49076b4492166b90e72d74321cb8e9fa808bf23bbce3ca0e1c99850c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3F41BE39A05344DFC718CB69EDD6BAE7BB4FB58302B50815AE502E7271E770AA84CF05
                                                                                                                                                                                                              Function 00C3C389 Relevance: 3.1, APIs: 2, Instructions: 73COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1619 c3c389 1620 c3c390-c3c3d5 call c4f8f0 1619->1620 1623 c3c3d7-c3c3e7 1620->1623 1624 c3c3e9-c3c40d 1620->1624 1625 c3c414-c3c43f call c32290 call c41d60 1623->1625 1624->1625 1630 c3c441-c3c49c Process32Next 1625->1630 1631 c3c4a4-c3c4c3 1625->1631 1630->1620 1632 c3c4a2 1630->1632 1633 c3c4ca-c3c51e CloseHandle call c49e60 1631->1633 1632->1633
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • Process32Next.KERNEL32(00000000,00000128), ref: 00C3C478
                                                                                                                                                                                                              • CloseHandle.KERNELBASE(00000000), ref: 00C3C4D5
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandleNextProcess32
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4007157957-0
                                                                                                                                                                                                              • Opcode ID: d08fdae7a5bb610bbc429520bcfb5d6879abda07f1140661213fa8f5260f9bd6
                                                                                                                                                                                                              • Instruction ID: 395894d4e41fffdbb436252c512befbe393b4c2a00fb38a596bd333cb948b1bf
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d08fdae7a5bb610bbc429520bcfb5d6879abda07f1140661213fa8f5260f9bd6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9A31F275910310CFD738DF22ED95BEE33B5FB84305F10855AE945AA260E7B49A84CFA0
                                                                                                                                                                                                              Function 00C36F00 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1637 c36f00-c36f12 1638 c36f43-c36f67 GetProcessHeap RtlAllocateHeap 1637->1638 1639 c36f14-c36f2e 1637->1639 1639->1638 1640 c36f30-c36f3c 1639->1640 1640->1638
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,00C39195,021A1850,?,?,?,?,?,00C46DD6), ref: 00C36F59
                                                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,00C39195,021A1850,?,?,?,?,?,00C46DD6), ref: 00C36F60
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$AllocateProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1357844191-0
                                                                                                                                                                                                              • Opcode ID: 0deafb8502617fd8449614fa0650b960843ed2cb6a43d4df8ecc67a4914d79a6
                                                                                                                                                                                                              • Instruction ID: 5d23b4825fab11647d4e0c6cdd883ebf9c8c616eca6d6fc4ac8832c69a38b1f2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0deafb8502617fd8449614fa0650b960843ed2cb6a43d4df8ecc67a4914d79a6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BBF08235515B018BCB18DB65FD99B3937E9EB49642B044014F106975A0EAF5958087D8
                                                                                                                                                                                                              Function 00C3C520 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1641 c3c520-c3c52d 1642 c3c543-c3c565 GetProcessHeap RtlFreeHeap 1641->1642 1643 c3c52f-c3c53c 1641->1643 1644 c3c567-c3c576 1642->1644 1645 c3c57c-c3c57d 1642->1645 1643->1642 1644->1645
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000002,?,00C4387D,00003C1C,00003C1C,00000000,-00000002,00000000,?,00C2622A,00000002,00000000,?,00000000,00003C1C), ref: 00C3C549
                                                                                                                                                                                                              • RtlFreeHeap.NTDLL(00000000,?,00C4387D,00003C1C,00003C1C,00000000,-00000002,00000000,?,00C2622A,00000002,00000000,?,00000000,00003C1C,00000002), ref: 00C3C550
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$FreeProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3859560861-0
                                                                                                                                                                                                              • Opcode ID: 27951d0f6cf1741b5b201ccc392c817166c7cf3041cbea264b5803a264028383
                                                                                                                                                                                                              • Instruction ID: 168ec6773f563c978b70c78886940b25d7bc8ec178bb0fc3507444b0140daa40
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 27951d0f6cf1741b5b201ccc392c817166c7cf3041cbea264b5803a264028383
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BEF0E5758083048FDA24DF59EC9577D37F4EB04305F00040AE906E7260E7B4F880DB59
                                                                                                                                                                                                              Function 00C32290 Relevance: 3.0, APIs: 2, Instructions: 21stringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • lstrlen.KERNEL32(00C3C420,00000000,?,00C3C420,?), ref: 00C322A2
                                                                                                                                                                                                              • CharLowerBuffA.USER32(00C3C420,00000000,?,00C3C420,?), ref: 00C322BE
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 794975171-0
                                                                                                                                                                                                              • Opcode ID: 27d89a4eb37636c7007056e70656f6b72f6b92f636a8ae555f8aa19a005c3723
                                                                                                                                                                                                              • Instruction ID: 46e50e327289ac05d94bb40e86e8be2799c2658f43b559add032de1ec0e0bf6f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 27d89a4eb37636c7007056e70656f6b72f6b92f636a8ae555f8aa19a005c3723
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EDE0DF761146209BC3209F9AFC493FD37ECFA083063040256F549D31B0EBE458818390
                                                                                                                                                                                                              Function 00C272E0 Relevance: 1.7, APIs: 1, Instructions: 162fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00C27452
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFile
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 823142352-0
                                                                                                                                                                                                              • Opcode ID: eea857ff1e495d68cbfccee7c1fb5ab4ceca79b3d0a661d23408fd94f136b3f0
                                                                                                                                                                                                              • Instruction ID: 2469d65554ec55503c909d2f1715713bbe2cd3706913c335fc3fa83d53030910
                                                                                                                                                                                                              • Opcode Fuzzy Hash: eea857ff1e495d68cbfccee7c1fb5ab4ceca79b3d0a661d23408fd94f136b3f0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B751E47AA043108FD328DF2AFC9276D37B5F784712F14812AE502E76B1E7B49981CB55
                                                                                                                                                                                                              Function 00C435C0 Relevance: 1.7, APIs: 1, Instructions: 151fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(00000708,80000000,00000000,00000000,00000003,00000000,00000000,?,?,00000708,00000000), ref: 00C43753
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFile
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 823142352-0
                                                                                                                                                                                                              • Opcode ID: 0e5ef310c89e2ae24d9506f43ffe3ee35cfb8cb9b3301129f89b9abc9a6d1f07
                                                                                                                                                                                                              • Instruction ID: b857225ad9a889c750e219a6af87e07fceb97adb9347b199e0e662f3784999bd
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0e5ef310c89e2ae24d9506f43ffe3ee35cfb8cb9b3301129f89b9abc9a6d1f07
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 965104B6A003109BD724CF66FC92B2D37E5FB54716F14422AE946DB3B0E7B49981CB90
                                                                                                                                                                                                              Function 00C46D32 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00C220E0: GetStdHandle.KERNEL32(000000F6,?,?,00C46D5F), ref: 00C22113
                                                                                                                                                                                                                • Part of subcall function 00C220E0: GetStdHandle.KERNEL32(000000F5,?,?,00C46D5F), ref: 00C22145
                                                                                                                                                                                                                • Part of subcall function 00C220E0: GetStdHandle.KERNEL32(000000F4,?,?,00C46D5F), ref: 00C22198
                                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 00C46E44
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Handle$ExitProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 256993070-0
                                                                                                                                                                                                              • Opcode ID: 12962d104f23e1470c23c905f82df49c1f7e053d2a1ef9cea772e9cf7e4a913f
                                                                                                                                                                                                              • Instruction ID: 026dffe97dfa0d94c362bca78d592a41f6cc1e8fc17d6393dd601a70a9827d72
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 12962d104f23e1470c23c905f82df49c1f7e053d2a1ef9cea772e9cf7e4a913f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D721DB3AA1161087C728DF75FC9237D37A2E7547223048526EC0187B79FBB58985D742
                                                                                                                                                                                                              Function 00C4C080 Relevance: 1.4, APIs: 1, Instructions: 153sleepCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • Sleep.KERNELBASE(000003E8,00000000,?,00C5007D,?,00000708,00000000), ref: 00C4C1C3
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Sleep
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3472027048-0
                                                                                                                                                                                                              • Opcode ID: 0134f85939a54ce6b64de188d5af9143f9193aa6c021d70e025f8ff1af669f3b
                                                                                                                                                                                                              • Instruction ID: 720861b5f9bb03d176f1e158e2a261ba644c73331d842ce0d63a636675c52084
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0134f85939a54ce6b64de188d5af9143f9193aa6c021d70e025f8ff1af669f3b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AD5114359013109BD378DB26EC8273E37F4FB94721B10452AE842EB6B1E7F88981DB91

                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                              Function 00C4EEB0 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 444pipeprocessfileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000,00000001), ref: 00C4F00B
                                                                                                                                                                                                              • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00C4F086
                                                                                                                                                                                                              • CreatePipe.KERNEL32(?,00000000,0000000C,00000000), ref: 00C4F0A6
                                                                                                                                                                                                              • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00C4F147
                                                                                                                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 00C4F2C2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C4F353
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 00C4F367
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C4F37B
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C4F3A9
                                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C4F446
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C4F4D4
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C4F4E8
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,00002710), ref: 00C4F56B
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 00C4F586
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 00C4F5A7
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                              • String ID: ;8\w$<,]8$D
                                                                                                                                                                                                              • API String ID: 1130065513-4129721015
                                                                                                                                                                                                              • Opcode ID: b4a01b9094b357c70b3e22e30c83272c8e211c53b8f5738fc36d28c5223fb3a9
                                                                                                                                                                                                              • Instruction ID: 01ef8e09c7d39b3fcec481019ec6bbc3597065f85c91c44083ee7afdf543c2eb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b4a01b9094b357c70b3e22e30c83272c8e211c53b8f5738fc36d28c5223fb3a9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7012B179A10305DFC728CF66ED91BAE37B5FB54712B10812EE802E7674E7B49981CB50
                                                                                                                                                                                                              Function 00C4B7F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00C4B8EC
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,00000128), ref: 00C4BA96
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFirstProcess32SnapshotToolhelp32
                                                                                                                                                                                                              • String ID: 9y8
                                                                                                                                                                                                              • API String ID: 2353314856-3592070472
                                                                                                                                                                                                              • Opcode ID: a509cd831d2957a1e58132455f4f391174a3567127747acfbb2749b8138aa9fb
                                                                                                                                                                                                              • Instruction ID: 5a981726b936463b42c025025e10217c102ddf8a4acd4d7fc7767faa8541fd5f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a509cd831d2957a1e58132455f4f391174a3567127747acfbb2749b8138aa9fb
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FBF1F279A103118BC728CF2AED9277E37F5FB94312B14821AE406E72B4E7B49981DB51
                                                                                                                                                                                                              Function 00C38200 Relevance: 13.7, APIs: 9, Instructions: 167serviceCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00C3826F
                                                                                                                                                                                                              • CreateServiceA.ADVAPI32(00000000,0138E380,0138E380,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00C382CA
                                                                                                                                                                                                              • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00C38301
                                                                                                                                                                                                              • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00C38323
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00C3833A
                                                                                                                                                                                                              • OpenServiceA.ADVAPI32(00000000,0138E380,00000010), ref: 00C3838B
                                                                                                                                                                                                              • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00C383C2
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00C38408
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00C38481
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3525021261-0
                                                                                                                                                                                                              • Opcode ID: 0e838e06b8785c7908354440433ad9990493afbb4a7799af6d4550d034746d48
                                                                                                                                                                                                              • Instruction ID: afe736519a34db089f2a2e520e674b434682a6b41ddf92132de2ee14333fd2b7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0e838e06b8785c7908354440433ad9990493afbb4a7799af6d4550d034746d48
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FF61BB79A147019BD324CB2AFC96B3E37F4F794B02F14411AE802E66B0EBB499C5CB41
                                                                                                                                                                                                              Function 00C4A050 Relevance: 7.8, APIs: 5, Instructions: 288serviceCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000,00000001), ref: 00C4A124
                                                                                                                                                                                                              • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,0000000A,?,00000000,?,00000000,00000001), ref: 00C4A164
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00000000,00000001), ref: 00C4A176
                                                                                                                                                                                                              • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,-0000001A,0000000A,?,00000000,00000001), ref: 00C4A24F
                                                                                                                                                                                                                • Part of subcall function 00C2BBA0: wvsprintfA.USER32(00000000,?,00C409D1), ref: 00C2BBEB
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,00000001), ref: 00C4A44C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenServicewvsprintf
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 475583450-0
                                                                                                                                                                                                              • Opcode ID: 102110815f849b1461dbf1e4ac89a65ce9a9b66e907b3155c7cf7a52ce65d8bf
                                                                                                                                                                                                              • Instruction ID: 25a56536193cc54c083ddf711098abe94a30b895370eb34e9a6e02d142cfda68
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 102110815f849b1461dbf1e4ac89a65ce9a9b66e907b3155c7cf7a52ce65d8bf
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A6C1C275A10300DBD728CF66FD81B6E77F5FB98301F00812AE506EB2A0E7B09981CB52
                                                                                                                                                                                                              Function 00C2B150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156filetimeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00C2B1D7
                                                                                                                                                                                                              • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00C2B256
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C2B26B
                                                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C2B2E7
                                                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00C2B31A
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C2B334
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                              • String ID: td9k
                                                                                                                                                                                                              • API String ID: 3236713533-1579400769
                                                                                                                                                                                                              • Opcode ID: a2f9ad8818275fe3093486bd5c2f28add0982fa80407cfbd3cead665d4809743
                                                                                                                                                                                                              • Instruction ID: 59c71cd85bb24754a791db859f5a2488f2ac14479dcc173ae46c4993fbed2ef9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a2f9ad8818275fe3093486bd5c2f28add0982fa80407cfbd3cead665d4809743
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6151BE79A113059BC324CF6AFC81B6E77B4FB84315F14825AE805EB6A0E7B09D81CF85
                                                                                                                                                                                                              Function 00C4A760 Relevance: 10.8, APIs: 7, Instructions: 266fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,000000FF), ref: 00C4A7F1
                                                                                                                                                                                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,000000FF), ref: 00C4A849
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,000000FF), ref: 00C4A885
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00C4A8B8
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00C4AA75
                                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,000000FF,?,?,00000000), ref: 00C4AAC8
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C4AAE2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3478262135-0
                                                                                                                                                                                                              • Opcode ID: c6734794152b148b414685db143f2f1313d9aef52f2cc9dbf49147f19715509a
                                                                                                                                                                                                              • Instruction ID: 399071e6b7019a3282550c9bab9fc3b6edde57d4257d3cc74b23c537e1f46ef2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c6734794152b148b414685db143f2f1313d9aef52f2cc9dbf49147f19715509a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 48A111796003109FD324DF26EC82B7E33B5FB88712F14411AF805E72A4E7B49881DB96
                                                                                                                                                                                                              Function 00C41E90 Relevance: 10.7, APIs: 7, Instructions: 238processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,00000000), ref: 00C41F5E
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,00000128), ref: 00C41FDC
                                                                                                                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C420A2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3397401024-0
                                                                                                                                                                                                              • Opcode ID: eb599a0a2ad7b78b273dff56c19b3c5a6ba9b65304ed4835e29ff3d80e12c26a
                                                                                                                                                                                                              • Instruction ID: 0c22815f6a45fc00360ef1625713fd14410cbca0d40cf4e9a3030f933a9ddd72
                                                                                                                                                                                                              • Opcode Fuzzy Hash: eb599a0a2ad7b78b273dff56c19b3c5a6ba9b65304ed4835e29ff3d80e12c26a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B3A1ACB9A01310CBD728DF26ED927AD77B5FB54312B10421AE806EA274E7B49A85CF50
                                                                                                                                                                                                              Function 00C4BADC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00C240B0: lstrlen.KERNEL32(?,?,00C26175,?,00000104,?,00000001), ref: 00C240DD
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000000), ref: 00C4BC6C
                                                                                                                                                                                                              • Module32First.KERNEL32(00000000,00000224), ref: 00C4BCE6
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 00C4BE0E
                                                                                                                                                                                                              • Process32Next.KERNEL32(?,00000128), ref: 00C4BE48
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00C4BE96
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandle$CreateFirstModule32NextProcess32SnapshotToolhelp32lstrlen
                                                                                                                                                                                                              • String ID: 9y8
                                                                                                                                                                                                              • API String ID: 2493088380-3592070472
                                                                                                                                                                                                              • Opcode ID: 957f447c795746c93170f6e6cf1f0fb11a0dd294f36b967b142c2fd504e415f0
                                                                                                                                                                                                              • Instruction ID: 87e42218570d7874c499c591672e39235957a8199cdc65450910efda2d370e89
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 957f447c795746c93170f6e6cf1f0fb11a0dd294f36b967b142c2fd504e415f0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4B71D275A00301CBDB28DF2AED92B7E37F5FB94311B10825AE806D7264EBB49D81CB51
                                                                                                                                                                                                              Function 00C41FF6 Relevance: 7.7, APIs: 5, Instructions: 157COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00C32290: lstrlen.KERNEL32(00C3C420,00000000,?,00C3C420,?), ref: 00C322A2
                                                                                                                                                                                                                • Part of subcall function 00C32290: CharLowerBuffA.USER32(00C3C420,00000000,?,00C3C420,?), ref: 00C322BE
                                                                                                                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C420A2
                                                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C42132
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C4217B
                                                                                                                                                                                                              • Process32Next.KERNEL32(00000000,00000128), ref: 00C42228
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C4227B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandleProcess$BuffCharLowerNextOpenProcess32Terminatelstrlen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3465298759-0
                                                                                                                                                                                                              • Opcode ID: b42abe835ba7bbacc4d246e5f45870d34447cd8f04f4c36439c3ce38e9c37d42
                                                                                                                                                                                                              • Instruction ID: 95345730cbf33f9fc6f287cf766c15185f8e17b7cc0699fdfad0047a7ca68599
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b42abe835ba7bbacc4d246e5f45870d34447cd8f04f4c36439c3ce38e9c37d42
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D661EF79A01300CBC728DF16ED92BAD77B5FB54316B10421AE902EB274E7B4AE81CF54
                                                                                                                                                                                                              Function 00C41950 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,00C48262,00C21300,00000001,?), ref: 00C4199B
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 00C419C2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00C48262,00C21300,00000001,?), ref: 00C419DD
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00C48262,00C21300,00000001,?), ref: 00C419F2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,000000FF,?,00C48262,00C21300,00000001,?), ref: 00C41A19
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1404307249-0
                                                                                                                                                                                                              • Opcode ID: 1d673c09347c5b778a0d9f49783e3cd5ffb13ad175b7031af4138df21d9ddba4
                                                                                                                                                                                                              • Instruction ID: 60b3a6737ce8111001ba2042f8d83a399b39eac78a1103c10109da9b3f091cd3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1d673c09347c5b778a0d9f49783e3cd5ffb13ad175b7031af4138df21d9ddba4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E021B47A2003009FD324DF61ED96B1A3BA4FB48711F10861AF556EB6B4D7F0D880CB55
                                                                                                                                                                                                              Function 00C37110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00C37221
                                                                                                                                                                                                              • RegSetValueExA.ADVAPI32(?,0138E5F8,00000000,00000001,?,00000000), ref: 00C372E0
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00C37300
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseOpenValue
                                                                                                                                                                                                              • String ID: IR
                                                                                                                                                                                                              • API String ID: 779948276-3379982419
                                                                                                                                                                                                              • Opcode ID: a13e67a17cd77830a4613271af499fc5a9d89a009339c6d632268fc77772059d
                                                                                                                                                                                                              • Instruction ID: 4354206dd284ed0ebcce9cd3b6dc899cb20abeda9d527e6a538c0b336282b113
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a13e67a17cd77830a4613271af499fc5a9d89a009339c6d632268fc77772059d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1041357A6202109BD724DF26EC81B7E37B5F798722B14421AE806D7770E7F88881DB55
                                                                                                                                                                                                              Function 00C4E880 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00C4E966
                                                                                                                                                                                                              • ReadFile.KERNEL32(00000000,?,00005000,00000000,00000000), ref: 00C4E9D7
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?), ref: 00C4EADD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandleRead
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1035965006-0
                                                                                                                                                                                                              • Opcode ID: ccb1e1f293daae491e90f1481e0d2194ac6bc47cbf07ea799c7437f8046d4688
                                                                                                                                                                                                              • Instruction ID: b830d925e9e655bda780b2e2dd6e70e686c9a3d470e33ace28bdd9ca2414c7c6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ccb1e1f293daae491e90f1481e0d2194ac6bc47cbf07ea799c7437f8046d4688
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A281AC796003049FD328DF6AFC92B6E37B5F794312F104519E906A72E1DBB0A981CB95
                                                                                                                                                                                                              Function 00C4FAD0 Relevance: 6.0, APIs: 4, Instructions: 28memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00C50A87,00000000,?), ref: 00C4FAF7
                                                                                                                                                                                                              • RtlReAllocateHeap.NTDLL(00000000,?,00C50A87,00000000), ref: 00C4FAFE
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,00C50A87,00000000,?), ref: 00C4FB19
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000,?,00C50A87,00000000,?), ref: 00C4FB20
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1154092256-0
                                                                                                                                                                                                              • Opcode ID: 6a9b307513d07751938ce3d6bfdcf9cb6a5d614583be97fec7e5e32c2671081f
                                                                                                                                                                                                              • Instruction ID: 5be6cd3ae5cf836648234f24263f2f80258bc19e9797f044cc22d0c713257890
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6a9b307513d07751938ce3d6bfdcf9cb6a5d614583be97fec7e5e32c2671081f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7FF01C75111304EFDB149FB1EC09B6E3BA8FB88612F108108F919A75A0DB719981CB61
                                                                                                                                                                                                              Function 00C23DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000001,?,?,00C4FF15), ref: 00C23E43
                                                                                                                                                                                                              • __aulldiv.LIBCMT ref: 00C23E74
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000003.00000002.2929597877.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929572607.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929628969.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929646445.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929663103.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000003.00000002.2929687520.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Time$FileSystem__aulldiv
                                                                                                                                                                                                              • String ID: L9<8
                                                                                                                                                                                                              • API String ID: 2838486344-2160928743
                                                                                                                                                                                                              • Opcode ID: 5e4bdf103d32c12a6550758f118c10bdab541659b43494e8eb48d7298e38a550
                                                                                                                                                                                                              • Instruction ID: 9239562ddc877d5857c0f034668051a1bfe336b3bfbb5b067fded4b9c01aa179
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e4bdf103d32c12a6550758f118c10bdab541659b43494e8eb48d7298e38a550
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E8413779A103608BC728CF46FD9173D37B2FB98716710415ED403ABAB0D7B89981CB80

                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                              Execution Coverage:6.9%
                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                                                                              Total number of Nodes:1386
                                                                                                                                                                                                              Total number of Limit Nodes:14
                                                                                                                                                                                                              execution_graph 7715 a1000 7716 a1024 7715->7716 7719 a40b0 lstrlen 7716->7719 7718 a1038 7719->7718 7992 a1300 7993 a131b 7992->7993 8048 c1a90 7993->8048 7995 a1394 7996 c97d0 4 API calls 7995->7996 8002 a178c 7995->8002 7997 a13f9 7996->7997 7998 a5730 2 API calls 7997->7998 7999 a1419 7998->7999 8000 ab980 9 API calls 7999->8000 8001 a144e 8000->8001 8003 c3840 2 API calls 8001->8003 8004 a1468 8003->8004 8051 a5cc0 8004->8051 8010 a14ae 8011 a5730 2 API calls 8010->8011 8012 a14e8 8011->8012 8061 c4a90 8012->8061 8015 c5810 8 API calls 8016 a1519 8015->8016 8017 c3840 2 API calls 8016->8017 8018 a1533 8017->8018 8019 b5b60 8 API calls 8018->8019 8020 a1573 8019->8020 8021 c5810 8 API calls 8020->8021 8022 a157c 8021->8022 8064 c6b70 8022->8064 8024 a15a6 8068 a44a0 8024->8068 8026 a15c0 8125 c8ba0 8026->8125 8028 a15fb 8151 a7640 8028->8151 8031 a5730 2 API calls 8032 a1635 8031->8032 8033 c4a90 9 API calls 8032->8033 8034 a1661 8033->8034 8035 c5810 8 API calls 8034->8035 8036 a166d 8035->8036 8037 c3840 2 API calls 8036->8037 8038 a1694 8037->8038 8039 a1890 8 API calls 8038->8039 8040 a16c2 8039->8040 8041 a6660 8 API calls 8040->8041 8042 a1716 8041->8042 8043 a5730 2 API calls 8042->8043 8044 a1754 8043->8044 8155 c01b0 8044->8155 8046 a177a 8047 c3840 2 API calls 8046->8047 8047->8002 8049 a1890 8 API calls 8048->8049 8050 c1abf SetEvent 8049->8050 8050->7995 8255 aab70 8051->8255 8054 b76c0 8055 c8a40 8 API calls 8054->8055 8056 a14a2 8055->8056 8057 c5810 8056->8057 8058 c5830 8057->8058 8059 a1890 8 API calls 8058->8059 8060 c583e 8059->8060 8060->8010 8263 a75a0 8061->8263 8065 c6b8d 8064->8065 8066 c14f0 8 API calls 8065->8066 8067 c6c57 8066->8067 8067->8024 8069 a44c4 8068->8069 8070 a5730 2 API calls 8069->8070 8075 a4611 8069->8075 8071 a45e0 8070->8071 8072 ab980 9 API calls 8071->8072 8073 a45ff 8072->8073 8074 c3840 2 API calls 8073->8074 8074->8075 8076 a4789 8075->8076 8077 a46a4 8075->8077 8081 a5730 2 API calls 8076->8081 8078 a5730 2 API calls 8077->8078 8079 a46c6 8078->8079 8080 ab980 9 API calls 8079->8080 8083 a46e5 8080->8083 8082 a47cf 8081->8082 8270 a3640 8082->8270 8085 c3840 2 API calls 8083->8085 8087 a476a 8085->8087 8086 a47f9 8088 c3840 2 API calls 8086->8088 8087->8026 8089 a4819 8088->8089 8090 a483f 8089->8090 8091 a48ac 8089->8091 8092 a5730 2 API calls 8090->8092 8283 a5600 GetModuleFileNameA 8091->8283 8094 a4855 8092->8094 8098 ab980 9 API calls 8094->8098 8096 a48c9 8099 a5730 2 API calls 8096->8099 8097 a493c 8100 a5f60 lstrlen 8097->8100 8101 a4886 8098->8101 8102 a48e9 8099->8102 8103 a4967 8100->8103 8104 c3840 2 API calls 8101->8104 8105 ab980 9 API calls 8102->8105 8285 cb310 8103->8285 8107 a4898 8104->8107 8108 a4901 8105->8108 8107->8026 8110 c3840 2 API calls 8108->8110 8111 a491f 8110->8111 8111->8026 8114 a5730 2 API calls 8115 a49d2 8114->8115 8116 c3840 2 API calls 8115->8116 8117 a49fd 8116->8117 8293 a40b0 lstrlen 8117->8293 8119 a4a3e 8120 c3060 5 API calls 8119->8120 8121 a4a79 8120->8121 8294 ceeb0 8121->8294 8124 a4bb6 8124->8026 8126 a5730 2 API calls 8125->8126 8127 c8c2e 8126->8127 8128 a5730 2 API calls 8127->8128 8129 c8c48 8128->8129 8130 a5730 2 API calls 8129->8130 8131 c8ca0 8130->8131 8132 c3840 2 API calls 8131->8132 8133 c8cc2 8132->8133 8134 a5730 2 API calls 8133->8134 8135 c8cfe 8134->8135 8136 c3840 2 API calls 8135->8136 8137 c8d7f 8136->8137 8138 c3840 2 API calls 8137->8138 8146 c8dba 8138->8146 8139 c969c 8140 c3840 2 API calls 8139->8140 8144 c9705 8140->8144 8142 c95b0 8142->8139 8148 c38a0 9 API calls 8142->8148 8149 a5f40 8 API calls 8142->8149 8143 c38a0 9 API calls 8143->8146 8144->8028 8145 c91c9 8145->8139 8145->8142 8147 a5f40 8 API calls 8145->8147 8150 c38a0 9 API calls 8145->8150 8146->8143 8146->8145 8491 a5f40 8146->8491 8147->8145 8148->8142 8149->8142 8150->8145 8152 a765b 8151->8152 8153 c6ff0 8 API calls 8152->8153 8154 a161f 8153->8154 8154->8031 8156 c0218 8155->8156 8157 a3dc0 GetSystemTimeAsFileTime 8156->8157 8158 c02bf 8157->8158 8498 a40b0 lstrlen 8158->8498 8160 c0342 8160->8046 8162 c0300 8162->8160 8499 a40b0 lstrlen 8162->8499 8163 c04d8 8500 a40b0 lstrlen 8163->8500 8165 c04e6 8166 a5730 2 API calls 8165->8166 8227 c0b61 8165->8227 8167 c05a8 8166->8167 8168 ab980 9 API calls 8167->8168 8169 c05c0 8168->8169 8170 c3840 2 API calls 8169->8170 8171 c05d2 8170->8171 8172 c0779 8171->8172 8174 a5730 2 API calls 8171->8174 8173 c4a90 9 API calls 8172->8173 8175 c07b9 8173->8175 8176 c0637 8174->8176 8177 c5810 8 API calls 8175->8177 8178 a75a0 9 API calls 8176->8178 8179 c07c5 8177->8179 8182 c0669 8178->8182 8180 a5730 2 API calls 8179->8180 8181 c07e6 8180->8181 8183 c4a90 9 API calls 8181->8183 8186 c3840 2 API calls 8182->8186 8184 c0810 8183->8184 8185 c5810 8 API calls 8184->8185 8187 c081c 8185->8187 8189 c06aa 8186->8189 8188 c3840 2 API calls 8187->8188 8190 c084e 8188->8190 8189->8172 8191 c6b70 8 API calls 8189->8191 8193 c4a90 9 API calls 8190->8193 8192 c0712 8191->8192 8195 a5730 2 API calls 8192->8195 8194 c086d 8193->8194 8196 c5810 8 API calls 8194->8196 8197 c074f 8195->8197 8200 c087c 8196->8200 8198 ab980 9 API calls 8197->8198 8199 c0767 8198->8199 8201 c3840 2 API calls 8199->8201 8205 a5730 2 API calls 8200->8205 8239 c0a19 8200->8239 8201->8172 8202 a5730 2 API calls 8203 c0a59 8202->8203 8204 c4a90 9 API calls 8203->8204 8206 c0a77 8204->8206 8207 c08e7 8205->8207 8208 c5810 8 API calls 8206->8208 8209 c4a90 9 API calls 8207->8209 8213 c0a83 8208->8213 8210 c0902 8209->8210 8211 c5810 8 API calls 8210->8211 8212 c0911 8211->8212 8215 a5730 2 API calls 8212->8215 8214 c3840 2 API calls 8213->8214 8216 c0acb 8214->8216 8217 c0932 8215->8217 8218 c0b1c socket 8216->8218 8220 c5810 8 API calls 8216->8220 8219 c3840 2 API calls 8217->8219 8218->8227 8228 c0bb0 8218->8228 8221 c0993 8219->8221 8220->8218 8501 abba0 wvsprintfA 8221->8501 8222 c0c70 gethostbyname 8223 c0c99 inet_ntoa inet_addr htons connect 8222->8223 8222->8227 8229 c0d44 8223->8229 8234 c0d6d 8223->8234 8224 c0c45 setsockopt 8224->8222 8227->8046 8228->8222 8228->8224 8229->8046 8230 c09d1 8231 c3840 2 API calls 8230->8231 8232 c09e3 8231->8232 8233 c4a90 9 API calls 8232->8233 8235 c0a0a 8233->8235 8236 c0d93 send 8234->8236 8237 c5810 8 API calls 8235->8237 8238 c0daf 8236->8238 8237->8239 8240 c0db3 8238->8240 8241 a6660 8 API calls 8238->8241 8239->8202 8240->8046 8254 c0deb 8241->8254 8242 c0e5b recv 8243 c1275 closesocket 8242->8243 8242->8254 8243->8227 8245 c12ae 8243->8245 8246 c6b70 8 API calls 8245->8246 8246->8227 8247 d0850 8 API calls 8247->8254 8248 a1890 8 API calls 8248->8254 8249 c1265 8249->8243 8250 c3840 GetProcessHeap RtlFreeHeap 8250->8254 8252 a5730 GetProcessHeap RtlAllocateHeap 8252->8254 8253 a75a0 9 API calls 8253->8254 8254->8242 8254->8243 8254->8247 8254->8248 8254->8249 8254->8250 8254->8252 8254->8253 8502 a2bb0 8254->8502 8506 c76d0 8254->8506 8256 aab7b 8255->8256 8259 cc960 8256->8259 8260 cc97c 8259->8260 8261 c6ff0 8 API calls 8260->8261 8262 a1499 8261->8262 8262->8054 8264 a75ac 8263->8264 8269 a40b0 lstrlen 8264->8269 8266 a75f8 8267 b3500 8 API calls 8266->8267 8268 a150d 8267->8268 8268->8015 8269->8266 8272 a3672 8270->8272 8271 a36d6 8271->8086 8272->8271 8318 a2710 8272->8318 8276 a37bd 8279 a3772 8276->8279 8328 a6bf0 8276->8328 8278 a3834 8335 a2f90 8278->8335 8346 c4b20 8279->8346 8284 a48c2 8283->8284 8284->8096 8284->8097 8286 cb367 8285->8286 8287 c7040 8 API calls 8286->8287 8288 a4994 8286->8288 8287->8288 8289 a3480 8288->8289 8292 a34a7 8289->8292 8290 a35ea 8290->8114 8291 cb310 8 API calls 8291->8292 8292->8290 8292->8291 8293->8119 8295 cefa4 8294->8295 8296 cefd0 CreatePipe 8295->8296 8297 cf038 SetHandleInformation CreatePipe 8296->8297 8303 cf015 8296->8303 8299 cf104 SetHandleInformation 8297->8299 8300 cf0b0 8297->8300 8308 cf167 8299->8308 8301 cf377 CloseHandle 8300->8301 8301->8303 8304 cf3a5 CloseHandle 8301->8304 8305 a6660 8 API calls 8303->8305 8306 a4b5e DeleteFileA 8303->8306 8304->8303 8305->8306 8306->8124 8307 cf297 CreateProcessA 8309 cf2e0 8307->8309 8308->8307 8310 cf42a WriteFile 8309->8310 8311 cf345 CloseHandle CloseHandle 8309->8311 8310->8311 8312 cf49f CloseHandle CloseHandle 8310->8312 8311->8301 8315 cf502 8312->8315 8484 c1720 8315->8484 8319 a274d 8318->8319 8320 a70e0 4 API calls 8319->8320 8321 a27bd 8320->8321 8322 c52f0 4 API calls 8321->8322 8323 a27e3 8321->8323 8322->8323 8323->8279 8324 c52f0 8323->8324 8325 c5311 8324->8325 8326 a70e0 4 API calls 8325->8326 8327 c533c 8326->8327 8327->8276 8349 b35f0 8328->8349 8332 a6c50 8361 c85e0 8332->8361 8334 a6c6a 8334->8278 8336 a2f9d 8335->8336 8337 a3470 8336->8337 8373 cfc20 8336->8373 8337->8279 8339 a307d 8340 a5730 2 API calls 8339->8340 8342 a30f5 8339->8342 8345 a32fa 8339->8345 8343 a32ab 8340->8343 8341 a5730 2 API calls 8341->8342 8342->8279 8343->8342 8344 c3840 2 API calls 8343->8344 8344->8345 8345->8341 8345->8342 8347 b7450 2 API calls 8346->8347 8348 a3984 8347->8348 8348->8086 8350 b360f 8349->8350 8351 a5730 2 API calls 8350->8351 8352 b3686 8351->8352 8353 c3840 2 API calls 8352->8353 8354 a6c32 8353->8354 8355 b7bf0 8354->8355 8356 b7de8 8355->8356 8357 b7c2d 8355->8357 8356->8332 8358 b7d1d 8357->8358 8367 c5950 8357->8367 8358->8356 8359 c5950 4 API calls 8358->8359 8359->8358 8362 c8665 8361->8362 8363 b7bf0 4 API calls 8362->8363 8364 c88e3 8363->8364 8365 b7bf0 4 API calls 8364->8365 8366 c8909 8365->8366 8366->8334 8368 c59a4 8367->8368 8369 a5730 2 API calls 8368->8369 8370 c5b5f 8369->8370 8371 c3840 2 API calls 8370->8371 8372 c5e79 8371->8372 8372->8358 8374 cfc5c 8373->8374 8375 a2710 4 API calls 8374->8375 8377 cfc82 8375->8377 8376 b7450 2 API calls 8378 cfda5 8376->8378 8379 cfcb5 8377->8379 8380 cfd03 8377->8380 8384 cfd51 8377->8384 8378->8339 8381 b7450 2 API calls 8379->8381 8385 b4420 8380->8385 8383 cfcea 8381->8383 8383->8339 8384->8376 8387 b444f 8385->8387 8386 b53c0 8386->8384 8387->8386 8388 a70e0 4 API calls 8387->8388 8389 b4686 8388->8389 8391 a70e0 4 API calls 8389->8391 8420 b4be5 8389->8420 8390 b5323 8394 b5389 8390->8394 8395 b5395 8390->8395 8392 b46cf 8391->8392 8396 a70e0 4 API calls 8392->8396 8392->8420 8393 b7450 2 API calls 8393->8420 8397 b7450 2 API calls 8394->8397 8398 b7450 2 API calls 8395->8398 8400 b470a 8396->8400 8399 b5390 8397->8399 8398->8399 8399->8384 8401 c52f0 4 API calls 8400->8401 8411 b473a 8400->8411 8400->8420 8402 b4789 8401->8402 8402->8420 8421 b3b00 8402->8421 8404 b47b1 8404->8420 8425 b22e0 8404->8425 8405 b488f 8408 b6dc0 4 API calls 8405->8408 8406 b487c 8407 b22e0 4 API calls 8406->8407 8410 b488a 8407->8410 8408->8410 8412 b6dc0 4 API calls 8410->8412 8411->8405 8411->8406 8411->8420 8413 b48eb 8412->8413 8414 a70e0 4 API calls 8413->8414 8413->8420 8415 b4980 8414->8415 8416 b6dc0 4 API calls 8415->8416 8415->8420 8419 b49af 8416->8419 8417 a70e0 4 API calls 8417->8419 8418 b6dc0 4 API calls 8418->8419 8419->8417 8419->8418 8419->8420 8420->8390 8420->8393 8422 b3b94 8421->8422 8423 a70e0 4 API calls 8422->8423 8424 b3bca 8422->8424 8423->8424 8424->8404 8424->8424 8426 b232a 8425->8426 8433 b5f50 8426->8433 8428 b23cf 8428->8411 8429 a67e0 4 API calls 8430 b2356 8429->8430 8430->8428 8430->8429 8432 b2396 8430->8432 8432->8428 8475 c7930 8432->8475 8435 b5f9b 8433->8435 8434 b5fc0 8434->8430 8435->8434 8436 b603b 8435->8436 8437 b60a5 8435->8437 8439 b6054 8436->8439 8441 c52f0 4 API calls 8436->8441 8438 b6dc0 4 API calls 8437->8438 8444 b60b9 8438->8444 8440 b6086 8439->8440 8442 b6dc0 4 API calls 8439->8442 8468 b6079 8439->8468 8440->8430 8441->8439 8442->8468 8443 b7450 2 API calls 8445 b6d9a 8443->8445 8446 b6dc0 4 API calls 8444->8446 8444->8468 8445->8430 8447 b612e 8446->8447 8448 a70e0 4 API calls 8447->8448 8447->8468 8449 b617a 8448->8449 8450 c52f0 4 API calls 8449->8450 8449->8468 8451 b619b 8450->8451 8452 a70e0 4 API calls 8451->8452 8451->8468 8453 b61c5 8452->8453 8454 a70e0 4 API calls 8453->8454 8453->8468 8455 b61e7 8454->8455 8456 b3b00 4 API calls 8455->8456 8457 b62c4 8455->8457 8455->8468 8459 b6277 8456->8459 8458 b3b00 4 API calls 8457->8458 8457->8468 8463 b6391 8458->8463 8460 b3b00 4 API calls 8459->8460 8459->8468 8460->8457 8461 c7930 4 API calls 8461->8463 8462 b6c28 8464 b6dc0 4 API calls 8462->8464 8465 b6c7a 8462->8465 8463->8461 8469 b641d 8463->8469 8464->8465 8466 b6dc0 4 API calls 8465->8466 8465->8468 8466->8468 8467 c52f0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8467->8469 8468->8440 8468->8443 8469->8462 8469->8467 8469->8468 8470 a11a0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8469->8470 8471 c7930 4 API calls 8469->8471 8472 b6dc0 4 API calls 8469->8472 8473 b3b00 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8469->8473 8474 a67e0 4 API calls 8469->8474 8470->8469 8471->8469 8472->8469 8473->8469 8474->8469 8476 c7978 8475->8476 8477 c7b39 8475->8477 8479 c799d 8476->8479 8480 c7a45 8476->8480 8478 bc640 4 API calls 8477->8478 8483 c79c4 8478->8483 8481 c64f0 4 API calls 8479->8481 8482 c64f0 4 API calls 8480->8482 8481->8483 8482->8483 8483->8432 8485 c172d 8484->8485 8486 a6660 8 API calls 8485->8486 8489 c17f3 8486->8489 8487 c184d ReadFile 8488 c18fa WaitForSingleObject CloseHandle CloseHandle 8487->8488 8487->8489 8488->8303 8489->8487 8489->8488 8490 a1890 8 API calls 8489->8490 8490->8489 8494 cf640 8491->8494 8493 a5f4e 8493->8146 8495 cf672 8494->8495 8496 b6fe0 8 API calls 8495->8496 8497 cf67d 8496->8497 8497->8493 8498->8162 8499->8163 8500->8165 8501->8230 8503 a2bd3 8502->8503 8505 a2c20 8502->8505 8504 a3dc0 GetSystemTimeAsFileTime 8503->8504 8504->8505 8505->8254 8507 a5730 2 API calls 8506->8507 8508 c770d 8507->8508 8509 a75a0 9 API calls 8508->8509 8510 c7742 8509->8510 8511 c3840 2 API calls 8510->8511 8513 c7786 8511->8513 8512 c77b9 8512->8254 8513->8512 8514 a5730 2 API calls 8513->8514 8515 c7816 8514->8515 8516 a75a0 9 API calls 8515->8516 8517 c7867 8516->8517 8518 c3840 2 API calls 8517->8518 8519 c7898 8518->8519 8519->8254 7720 b8200 7721 b8218 7720->7721 7722 b8243 OpenSCManagerA 7720->7722 7721->7722 7723 b8293 CreateServiceA 7722->7723 7729 b84af 7722->7729 7724 b82e0 ChangeServiceConfig2A StartServiceA CloseServiceHandle 7723->7724 7725 b835b OpenServiceA 7723->7725 7732 b841f CloseServiceHandle 7724->7732 7728 b83a5 StartServiceA 7725->7728 7725->7732 7730 b83ef 7728->7730 7731 b8407 CloseServiceHandle 7728->7731 7730->7731 7731->7732 7732->7729 8520 b7f00 8521 b7f27 8520->8521 8526 ca760 8521->8526 8523 b7f5b 8524 c38b0 3 API calls 8523->8524 8525 b7f73 8524->8525 8527 c2300 2 API calls 8526->8527 8528 ca7c2 CreateFileA 8527->8528 8529 ca81d ReadFile 8528->8529 8530 caafe 8528->8530 8532 ca85f 8529->8532 8533 ca884 CloseHandle 8529->8533 8530->8523 8532->8533 8554 c3570 8533->8554 8535 ca8ab GetTickCount 8556 cc870 8535->8556 8537 ca8c5 8560 a40b0 lstrlen 8537->8560 8539 ca8d5 8540 a5730 2 API calls 8539->8540 8541 ca964 8540->8541 8542 c3840 2 API calls 8541->8542 8543 ca994 8542->8543 8545 a5730 2 API calls 8543->8545 8553 caa30 CreateFileA 8543->8553 8547 ca9c8 8545->8547 8546 caaaf WriteFile CloseHandle 8546->8530 8561 a40b0 lstrlen 8547->8561 8549 caa0b 8562 abba0 wvsprintfA 8549->8562 8551 caa16 8552 c3840 2 API calls 8551->8552 8552->8553 8553->8530 8553->8546 8555 c3593 8554->8555 8555->8535 8557 cc884 8556->8557 8563 a40b0 lstrlen 8557->8563 8559 cc8c2 8559->8537 8560->8539 8561->8549 8562->8551 8563->8559 7710 c2780 7713 aad30 7710->7713 7712 c2798 ExitProcess 7714 aad43 7713->7714 7714->7712 8564 c1300 8565 c2320 lstrlen 8564->8565 8566 c130f 8565->8566 7827 a5c90 7828 a5c9b 7827->7828 7829 a5ca7 7828->7829 7830 a1fc0 2 API calls 7828->7830 7830->7829 7262 b2490 7263 b24c4 7262->7263 7264 b2505 GetVersionExA 7263->7264 7361 cc640 7264->7361 7268 b273f 7270 a5730 2 API calls 7268->7270 7272 b279f 7270->7272 7388 ab980 7272->7388 7275 b262c 7277 b26c7 CreateDirectoryA 7275->7277 7384 a5730 7277->7384 7279 b2711 7281 c3840 2 API calls 7279->7281 7280 b27eb 7395 c3060 7280->7395 7281->7268 7283 b2818 7284 b28bc 7283->7284 7285 b2823 DeleteFileA RemoveDirectoryA 7283->7285 7286 b8090 6 API calls 7284->7286 7285->7284 7287 b28e8 7286->7287 7288 b291f CreateDirectoryA 7287->7288 7289 b296a 7288->7289 7414 c5860 7289->7414 7292 a5730 2 API calls 7293 b2a0b 7292->7293 7294 a5730 2 API calls 7293->7294 7295 b2a44 7294->7295 7296 c3840 2 API calls 7295->7296 7297 b2a60 7296->7297 7298 ab980 9 API calls 7297->7298 7299 b2a7c 7298->7299 7300 c3840 2 API calls 7299->7300 7301 b2a96 7300->7301 7302 c3060 5 API calls 7301->7302 7303 b2ad4 7302->7303 7304 b3405 7303->7304 7305 b2af2 7303->7305 7306 b2b54 7303->7306 7310 c5860 lstrlen 7304->7310 7307 a5730 2 API calls 7305->7307 7308 a5730 2 API calls 7306->7308 7309 b2b08 7307->7309 7311 b2b71 7308->7311 7420 abba0 wvsprintfA 7309->7420 7313 b3437 SetFileAttributesA 7310->7313 7421 abba0 wvsprintfA 7311->7421 7320 b346e 7313->7320 7314 b2b28 7315 c3840 2 API calls 7314->7315 7318 b2b3a 7315->7318 7317 b2bde 7319 c3840 2 API calls 7317->7319 7321 b2c60 7318->7321 7319->7318 7322 b2c7c CreateDirectoryA 7321->7322 7323 b2cd3 7322->7323 7324 c5860 lstrlen 7323->7324 7325 b2d51 CreateDirectoryA 7324->7325 7326 a5730 2 API calls 7325->7326 7327 b2d99 7326->7327 7328 a5730 2 API calls 7327->7328 7329 b2de9 7328->7329 7330 c3840 2 API calls 7329->7330 7331 b2dfd 7330->7331 7332 ab980 9 API calls 7331->7332 7333 b2e13 7332->7333 7334 c3840 2 API calls 7333->7334 7335 b2e36 7334->7335 7336 c3060 5 API calls 7335->7336 7337 b2e8f 7336->7337 7338 b2e9a GetTempPathA 7337->7338 7360 b3327 7337->7360 7422 a40b0 lstrlen 7338->7422 7340 b2edc 7341 c5860 lstrlen 7340->7341 7342 b3052 CreateDirectoryA 7341->7342 7343 a5730 2 API calls 7342->7343 7344 b3097 7343->7344 7345 a5730 2 API calls 7344->7345 7346 b30fc 7345->7346 7347 c3840 2 API calls 7346->7347 7348 b3141 7347->7348 7349 ab980 9 API calls 7348->7349 7350 b3171 7349->7350 7351 c3840 2 API calls 7350->7351 7352 b319c 7351->7352 7353 c3060 5 API calls 7352->7353 7354 b31c9 7353->7354 7355 b31d4 GetTempPathA 7354->7355 7354->7360 7356 b3226 7355->7356 7357 a5730 2 API calls 7356->7357 7358 b32b1 7357->7358 7359 c3840 2 API calls 7358->7359 7359->7360 7360->7304 7362 cc652 AllocateAndInitializeSid 7361->7362 7364 cc724 CheckTokenMembership 7362->7364 7367 b2591 7362->7367 7365 cc77a FreeSid 7364->7365 7366 cc741 7364->7366 7365->7367 7366->7365 7368 bd0d0 7367->7368 7369 bd0f1 7368->7369 7370 a5730 2 API calls 7369->7370 7371 bd179 GetProcAddress 7370->7371 7372 c3840 2 API calls 7371->7372 7375 bd1c9 7372->7375 7373 b25b3 7373->7268 7376 b8090 GetWindowsDirectoryA 7373->7376 7374 bd26b GetCurrentProcess 7374->7373 7375->7373 7375->7374 7377 b80d8 7376->7377 7378 b818b 7377->7378 7379 a5730 2 API calls 7377->7379 7378->7275 7380 b8133 7379->7380 7381 c3840 2 API calls 7380->7381 7382 b816b 7381->7382 7423 a40b0 lstrlen 7382->7423 7385 a5776 7384->7385 7424 b6f00 7385->7424 7387 a580a 7387->7279 7427 bcbc0 7388->7427 7391 c3840 7392 c3863 7391->7392 7393 bc520 2 API calls 7392->7393 7394 c387d 7393->7394 7394->7280 7396 c306d 7395->7396 7463 a6590 WaitForSingleObject 7396->7463 7399 c3205 7465 a5070 ReleaseMutex 7399->7465 7400 c3253 CreateFileA 7402 c329c 7400->7402 7404 c32b4 7402->7404 7405 c3311 7402->7405 7406 a5070 ReleaseMutex 7404->7406 7408 c341f WriteFile 7405->7408 7407 c32d3 7406->7407 7407->7283 7408->7405 7409 c3493 CloseHandle 7408->7409 7411 c350c 7409->7411 7412 a5070 ReleaseMutex 7411->7412 7413 c3532 7412->7413 7413->7283 7415 c5879 7414->7415 7467 a5f60 7415->7467 7418 b29cb CreateDirectoryA 7418->7292 7420->7314 7421->7317 7422->7340 7423->7378 7425 b6f43 GetProcessHeap RtlAllocateHeap 7424->7425 7426 b6f14 7424->7426 7425->7387 7426->7425 7428 bcbe0 7427->7428 7433 a40b0 lstrlen 7428->7433 7430 bcc38 7434 b3500 7430->7434 7432 ab999 7432->7391 7433->7430 7435 b3535 7434->7435 7438 b6fe0 7435->7438 7437 b3553 7437->7432 7439 b6ffe 7438->7439 7440 b701e 7439->7440 7443 bcb30 7439->7443 7440->7437 7442 b7053 7442->7437 7444 bcb4d 7443->7444 7445 bcb74 7444->7445 7447 d0850 7444->7447 7445->7442 7448 d0863 7447->7448 7449 d0a76 7448->7449 7450 d0976 7448->7450 7455 d0a4e 7448->7455 7460 cfad0 7449->7460 7452 b6f00 2 API calls 7450->7452 7453 d0994 7452->7453 7456 bc520 7453->7456 7455->7445 7457 bc52f 7456->7457 7458 bc543 GetProcessHeap RtlFreeHeap 7456->7458 7457->7458 7459 bc567 7458->7459 7459->7455 7461 cfae4 GetProcessHeap RtlReAllocateHeap 7460->7461 7462 cfb06 GetProcessHeap HeapAlloc 7460->7462 7461->7455 7462->7455 7464 a65cc 7463->7464 7464->7399 7464->7400 7466 a50a2 7465->7466 7466->7283 7468 a5fb1 7467->7468 7472 a40b0 lstrlen 7468->7472 7470 a5fce 7470->7418 7471 a40b0 lstrlen 7470->7471 7471->7418 7472->7470 7835 b4290 7836 b42b3 7835->7836 7837 b42ba SetServiceStatus 7835->7837 7836->7837 7838 b42d3 7836->7838 7839 b42e7 SetServiceStatus SetEvent 7836->7839 7841 b4350 7837->7841 7838->7839 7839->7841 8567 b7110 8568 b7163 8567->8568 8569 a5730 2 API calls 8568->8569 8570 b71fd RegOpenKeyA 8569->8570 8571 b723a 8570->8571 8572 c3840 2 API calls 8571->8572 8574 b7263 8572->8574 8573 b72f0 RegCloseKey 8575 b731c 8573->8575 8574->8573 8578 a40b0 lstrlen 8574->8578 8577 b72cc RegSetValueExA 8577->8573 8578->8577 7473 cfe10 7474 cfe46 7473->7474 7525 c99b0 GetSystemTime 7474->7525 7476 cff2c 7477 cff15 7476->7477 7477->7476 7530 a60a0 7477->7530 7479 cff81 7480 c5860 lstrlen 7479->7480 7481 cff97 7480->7481 7482 a5730 2 API calls 7481->7482 7483 cffcc 7482->7483 7484 c3840 2 API calls 7483->7484 7487 d0021 7484->7487 7502 d00d0 7487->7502 7508 a3dc0 7487->7508 7512 a6660 7487->7512 7545 cc080 7487->7545 7490 d0794 7515 bc250 7490->7515 7586 b3880 7490->7586 7491 d0774 7491->7490 7495 a3dc0 GetSystemTimeAsFileTime 7495->7502 7497 cc080 12 API calls 7497->7502 7498 ab980 9 API calls 7498->7502 7499 c3840 GetProcessHeap RtlFreeHeap 7499->7502 7500 c5810 8 API calls 7500->7502 7502->7487 7502->7495 7502->7497 7502->7498 7502->7499 7502->7500 7504 a5730 GetProcessHeap RtlAllocateHeap 7502->7504 7505 c01b0 21 API calls 7502->7505 7506 b5520 27 API calls 7502->7506 7507 c2950 32 API calls 7502->7507 7566 c97d0 7502->7566 7577 a4460 7502->7577 7580 b5b60 7502->7580 7593 c38b0 7502->7593 7504->7502 7505->7502 7506->7502 7507->7502 7509 a3df8 7508->7509 7510 a3e2d GetSystemTimeAsFileTime 7508->7510 7509->7510 7511 a3e79 __aulldiv 7510->7511 7511->7487 7513 b6fe0 8 API calls 7512->7513 7514 a6667 Sleep 7513->7514 7514->7490 7514->7491 7516 bc270 CreateToolhelp32Snapshot 7515->7516 7518 bc32c Process32First 7516->7518 7519 bc4e5 7516->7519 7520 bc4ca CloseHandle 7518->7520 7522 bc387 7518->7522 7519->7502 7520->7519 7523 bc441 Process32Next 7522->7523 7524 bc4a2 7522->7524 7600 b2290 lstrlen CharLowerBuffA 7522->7600 7523->7522 7523->7524 7524->7520 7526 c9a49 7525->7526 7527 a3dc0 GetSystemTimeAsFileTime 7526->7527 7528 c9b45 GetTickCount 7527->7528 7529 c9b83 7528->7529 7529->7477 7531 a60d3 7530->7531 7532 a63c4 7530->7532 7601 a40b0 lstrlen 7531->7601 7532->7479 7534 a6175 Sleep 7535 a61cd 7534->7535 7536 a5730 2 API calls 7535->7536 7537 a61ff 7536->7537 7538 c3840 2 API calls 7537->7538 7539 a622a FindFirstFileA 7538->7539 7539->7532 7541 a628f 7539->7541 7542 a631e DeleteFileA 7541->7542 7543 a6379 FindNextFileA 7541->7543 7542->7541 7543->7541 7544 a6392 FindClose 7543->7544 7544->7532 7546 cc097 7545->7546 7547 cc13a 7546->7547 7602 c7040 7546->7602 7548 a5730 2 API calls 7547->7548 7550 cc16b 7548->7550 7618 c35c0 7550->7618 7552 cc181 7553 c3840 2 API calls 7552->7553 7554 cc195 7553->7554 7555 cc261 7554->7555 7556 cc1aa Sleep 7554->7556 7557 cc2ed 7555->7557 7625 a5230 7555->7625 7558 a5730 2 API calls 7556->7558 7557->7487 7560 cc1e5 7558->7560 7563 c35c0 3 API calls 7560->7563 7561 cc2c1 7629 ce790 CloseHandle 7561->7629 7564 cc245 7563->7564 7565 c3840 2 API calls 7564->7565 7565->7555 7567 a5730 2 API calls 7566->7567 7568 c9826 7567->7568 7569 a5730 2 API calls 7568->7569 7570 c9841 7569->7570 7641 b77f0 7570->7641 7573 c3840 2 API calls 7574 c9877 7573->7574 7575 c3840 2 API calls 7574->7575 7576 c98b6 7575->7576 7576->7502 7647 a1890 7577->7647 7579 a447b 7579->7502 7581 b5b8e 7580->7581 7651 c2300 7581->7651 7583 b5bf4 7584 a1890 8 API calls 7583->7584 7585 b5cf8 7583->7585 7584->7585 7585->7502 7589 b3898 7586->7589 7587 b3aa3 7587->7490 7588 b398b DeleteFileA 7588->7589 7589->7587 7589->7588 7591 b3a31 7589->7591 7655 abab0 7589->7655 7591->7587 7660 c9bd0 7591->7660 7594 c38d4 7593->7594 7595 c39b5 CreateProcessA 7594->7595 7596 c3a1a 7595->7596 7599 c3a64 7595->7599 7597 c3a3a CloseHandle CloseHandle 7596->7597 7598 c3a26 7596->7598 7597->7599 7598->7597 7599->7502 7600->7522 7601->7534 7603 c708f 7602->7603 7604 a6590 WaitForSingleObject 7603->7604 7605 c71b9 7604->7605 7606 a5730 2 API calls 7605->7606 7615 c72af 7605->7615 7607 c71ea GetProcAddress 7606->7607 7610 a5730 2 API calls 7607->7610 7609 a5070 ReleaseMutex 7611 c7485 7609->7611 7612 c7246 7610->7612 7611->7547 7613 c3840 2 API calls 7612->7613 7614 c7260 GetProcAddress 7613->7614 7616 c728b 7614->7616 7615->7609 7617 c3840 2 API calls 7616->7617 7617->7615 7620 c35ef 7618->7620 7619 c371c CreateFileA 7621 c376a 7619->7621 7622 c377b 7619->7622 7620->7619 7621->7552 7633 a6460 7622->7633 7624 c37ac 7624->7552 7626 a5251 7625->7626 7627 a5297 7626->7627 7628 a534e WriteFile 7626->7628 7627->7561 7628->7561 7630 ce7bf 7629->7630 7637 a1fc0 7630->7637 7634 d0bf0 7633->7634 7635 b6f00 2 API calls 7634->7635 7636 d0c06 7635->7636 7636->7624 7638 a5f20 7637->7638 7639 a5f30 7638->7639 7640 bc520 2 API calls 7638->7640 7639->7557 7640->7639 7642 b781d 7641->7642 7643 a5730 2 API calls 7642->7643 7644 b7b66 7643->7644 7645 c3840 2 API calls 7644->7645 7646 b7b95 7645->7646 7646->7573 7648 a18b6 7647->7648 7649 b6fe0 8 API calls 7648->7649 7650 a18c1 7649->7650 7650->7579 7652 d0bf0 7651->7652 7653 b6f00 2 API calls 7652->7653 7654 d0c06 7653->7654 7654->7583 7664 cc460 7655->7664 7657 abacd 7668 a2870 7657->7668 7661 c9c07 7660->7661 7662 c9c9b 7661->7662 7683 a1060 7661->7683 7662->7591 7665 cc478 7664->7665 7666 d0850 8 API calls 7665->7666 7667 cc4b6 7666->7667 7667->7657 7670 a287e 7668->7670 7669 a2890 7669->7589 7670->7669 7672 a4e20 7670->7672 7675 c8a40 7672->7675 7674 a4e2f 7674->7669 7676 c8a52 7675->7676 7679 abaf0 7676->7679 7678 c8a68 7678->7674 7680 abafb 7679->7680 7681 bcb30 8 API calls 7680->7681 7682 abb3c 7681->7682 7682->7678 7686 c4d20 7683->7686 7687 c4d4b 7686->7687 7690 c14f0 7687->7690 7689 a106e 7689->7662 7691 c152d 7690->7691 7692 d0850 8 API calls 7691->7692 7693 c15b9 7692->7693 7693->7689 7694 c6d10 7695 c6d4b 7694->7695 7700 a2ef0 7695->7700 7699 c6d5f 7707 b3d60 7700->7707 7702 a2f36 7703 a20e0 GetStdHandle GetStdHandle 7702->7703 7704 a215b 7703->7704 7705 a2177 GetStdHandle 7703->7705 7704->7705 7706 a21bc 7705->7706 7706->7699 7708 b3d9f GetProcessHeap HeapAlloc 7707->7708 7709 b3d84 7707->7709 7708->7702 7709->7708 7737 c5010 StartServiceCtrlDispatcherA 7842 a28a0 7843 a28b0 7842->7843 7844 a28c2 7843->7844 7845 a2a0c ReadFile 7843->7845 7846 a2a31 7845->7846 7847 a20a0 7848 a20b7 7847->7848 7849 a51d0 8 API calls 7848->7849 7850 a20ce 7849->7850 7738 c2420 FlushFileBuffers 7739 c2460 GetLastError 7738->7739 7740 c24a2 7738->7740 7741 c2820 7742 c2873 7741->7742 7745 a67e0 7742->7745 7746 a681a 7745->7746 7747 a690b 7745->7747 7749 a68bf 7746->7749 7750 a6834 7746->7750 7763 bc640 7747->7763 7752 c64f0 4 API calls 7749->7752 7754 c64f0 7750->7754 7753 a6849 7752->7753 7756 c6532 7754->7756 7755 c6567 7755->7753 7756->7755 7758 c65c5 7756->7758 7771 b6dc0 7756->7771 7759 b6dc0 4 API calls 7758->7759 7760 c6684 7758->7760 7759->7760 7776 b7450 7760->7776 7764 bc6a0 7763->7764 7765 bc756 7764->7765 7766 b6dc0 4 API calls 7764->7766 7767 a70e0 4 API calls 7765->7767 7768 bca18 7765->7768 7766->7765 7769 bc7ba 7767->7769 7768->7753 7769->7768 7770 a70e0 4 API calls 7769->7770 7770->7769 7772 b6df9 7771->7772 7773 b6df3 7771->7773 7780 a70e0 7772->7780 7773->7758 7775 b6e71 7775->7758 7777 b75ba 7776->7777 7778 b748f 7776->7778 7777->7753 7778->7777 7779 bc520 2 API calls 7778->7779 7779->7778 7781 a7110 7780->7781 7783 a7130 7780->7783 7782 b6f00 2 API calls 7781->7782 7784 a7127 7782->7784 7783->7775 7784->7783 7785 bc520 2 API calls 7784->7785 7785->7783 7786 a2630 7789 a51d0 7786->7789 7790 a5202 7789->7790 7793 a2df0 7790->7793 7792 a265b 7794 bcb30 8 API calls 7793->7794 7795 a2e22 7794->7795 7795->7792 7851 bbeb0 7852 bbec8 7851->7852 7857 a40b0 lstrlen 7852->7857 7854 bbf13 7858 a4090 7854->7858 7857->7854 7861 a6670 7858->7861 7860 a40aa 7862 a668f 7861->7862 7863 a66fe 7862->7863 7864 a66f1 7862->7864 7867 a66fc 7863->7867 7868 ab9e0 7863->7868 7865 c14f0 8 API calls 7864->7865 7865->7867 7867->7860 7869 ab9ff 7868->7869 7870 bcb30 8 API calls 7869->7870 7871 aba40 7870->7871 7871->7867 8588 ab531 8590 ab5ae RegisterServiceCtrlHandlerA 8588->8590 8591 ab696 8590->8591 8592 ab8ba 8591->8592 8593 ab702 SetServiceStatus CreateEventA SetServiceStatus 8591->8593 8594 ab7a2 8593->8594 8595 ab7b0 WaitForSingleObject 8593->8595 8594->8595 8595->8595 8596 ab7dd 8595->8596 8597 a6590 WaitForSingleObject 8596->8597 8598 ab7f4 SetServiceStatus CloseHandle SetServiceStatus 8597->8598 8598->8592 7796 a3c40 7799 a5f00 7796->7799 7802 c2320 7799->7802 7801 a3c4f 7803 c232e 7802->7803 7806 a40b0 lstrlen 7803->7806 7805 c233a 7805->7801 7806->7805 8649 a19c0 8650 a19ed 8649->8650 8651 a5730 2 API calls 8650->8651 8652 a1a44 8651->8652 8703 abba0 wvsprintfA 8652->8703 8654 a1a77 8655 c3840 2 API calls 8654->8655 8656 a1a89 8655->8656 8657 c38a0 9 API calls 8656->8657 8658 a1ac4 8657->8658 8659 c38a0 9 API calls 8658->8659 8660 a1b37 8659->8660 8661 a5f40 8 API calls 8660->8661 8662 a1b4b 8661->8662 8663 a5f40 8 API calls 8662->8663 8664 a1b97 8663->8664 8704 cb7f0 8664->8704 8666 a1baa 8728 ca050 OpenSCManagerA 8666->8728 8668 a1bd4 8669 c8ba0 9 API calls 8668->8669 8670 a1c03 8669->8670 8752 b36f0 8670->8752 8672 a1c16 8673 a5730 2 API calls 8672->8673 8674 a1c4f 8673->8674 8675 ab980 9 API calls 8674->8675 8676 a1c71 8675->8676 8677 c3840 2 API calls 8676->8677 8678 a1c83 8677->8678 8679 b5b60 8 API calls 8678->8679 8680 a1ccd 8679->8680 8681 c5810 8 API calls 8680->8681 8682 a1cd6 8681->8682 8683 a5730 2 API calls 8682->8683 8684 a1cfa 8683->8684 8685 c4a90 9 API calls 8684->8685 8686 a1d5b 8685->8686 8687 c5810 8 API calls 8686->8687 8688 a1d67 8687->8688 8689 c3840 2 API calls 8688->8689 8690 a1d99 8689->8690 8691 a1890 8 API calls 8690->8691 8692 a1df7 8691->8692 8693 b36f0 8 API calls 8692->8693 8694 a1e3b 8693->8694 8695 c97d0 4 API calls 8694->8695 8696 a1e7a 8695->8696 8697 a5730 2 API calls 8696->8697 8698 a1e90 8697->8698 8699 c01b0 21 API calls 8698->8699 8700 a1ebb 8699->8700 8701 c3840 2 API calls 8700->8701 8702 a1f03 8701->8702 8703->8654 8705 cb82f CreateToolhelp32Snapshot 8704->8705 8707 cb92c 8705->8707 8708 cba05 Process32First 8705->8708 8710 a5730 2 API calls 8707->8710 8726 cbabb 8708->8726 8712 cb953 8710->8712 8711 cbe7e CloseHandle 8711->8666 8713 c38a0 9 API calls 8712->8713 8714 cb977 8713->8714 8718 c3840 2 API calls 8714->8718 8716 cbc51 CreateToolhelp32Snapshot 8716->8726 8717 a5730 GetProcessHeap RtlAllocateHeap 8717->8726 8720 cb9e6 8718->8720 8719 cbcde Module32First 8719->8726 8720->8666 8721 c38a0 9 API calls 8721->8726 8723 c3840 GetProcessHeap RtlFreeHeap 8723->8726 8724 a5f40 8 API calls 8725 cbdfd CloseHandle Process32Next 8724->8725 8725->8726 8726->8711 8726->8716 8726->8717 8726->8719 8726->8721 8726->8723 8726->8724 8727 cbe76 8726->8727 8756 a40b0 lstrlen 8726->8756 8757 abba0 wvsprintfA 8726->8757 8727->8711 8729 ca480 8728->8729 8730 ca141 EnumServicesStatusA GetLastError 8728->8730 8732 a5730 2 API calls 8729->8732 8731 ca196 8730->8731 8736 ca464 8731->8736 8737 b6f00 2 API calls 8731->8737 8733 ca496 8732->8733 8734 c38a0 9 API calls 8733->8734 8735 ca4b0 8734->8735 8738 c3840 2 API calls 8735->8738 8736->8668 8739 ca1f4 8737->8739 8740 ca4df 8738->8740 8741 ca22a EnumServicesStatusA 8739->8741 8742 ca441 CloseServiceHandle 8739->8742 8740->8668 8750 ca26e 8741->8750 8742->8736 8743 ca41e 8744 bc520 2 API calls 8743->8744 8745 ca434 8744->8745 8745->8742 8746 a40b0 lstrlen 8746->8750 8747 a5730 2 API calls 8747->8750 8749 c3840 2 API calls 8749->8750 8750->8743 8750->8746 8750->8747 8750->8749 8751 c38a0 9 API calls 8750->8751 8758 abba0 wvsprintfA 8750->8758 8751->8750 8753 b370b 8752->8753 8754 a6660 8 API calls 8753->8754 8755 b386c 8754->8755 8755->8672 8756->8726 8757->8726 8758->8750 8759 a3fc0 8760 ab9e0 8 API calls 8759->8760 8761 a3fe7 8760->8761 7807 a6441 7808 a6460 7807->7808 7809 b6f00 2 API calls 7808->7809 7810 d0c06 7809->7810 7872 b3ec0 7873 a3dc0 GetSystemTimeAsFileTime 7872->7873 7874 b3f0c 7873->7874 7875 b3feb 7874->7875 7876 a3dc0 GetSystemTimeAsFileTime 7874->7876 7877 b3f61 7876->7877 7877->7875 7878 b3fbd Sleep 7877->7878 7879 a3dc0 GetSystemTimeAsFileTime 7878->7879 7879->7877 7880 bd2c0 7884 bd2f0 7880->7884 7881 bd33d 7882 a40b0 lstrlen 7882->7884 7883 abba0 wvsprintfA 7883->7884 7884->7881 7884->7882 7884->7883 7885 a24c6 ExitProcess 7894 c3ac0 7897 c5f40 7894->7897 7900 c5070 7897->7900 7899 c3acf 7903 a40b0 lstrlen 7900->7903 7902 c5080 7902->7899 7903->7902 8770 cedc0 8771 a4e20 8 API calls 8770->8771 8772 ceddf 8771->8772 8773 c5810 8 API calls 8772->8773 8774 cedf4 8773->8774 7252 ab150 7253 ab1bb CreateFileA 7252->7253 7254 ab1a9 7252->7254 7255 ab1fe 7253->7255 7256 ab21c GetFileTime 7253->7256 7254->7253 7257 ab260 CloseHandle 7256->7257 7258 ab284 7256->7258 7259 ab2ae __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 7258->7259 7260 ab2ec GetFileSize CloseHandle 7259->7260 7261 ab34c 7260->7261 8775 a2dd0 8778 cfb30 8775->8778 8779 c5070 lstrlen 8778->8779 8780 a2ddf 8779->8780 8602 bcf50 8607 a2da0 8602->8607 8616 c7620 8607->8616 8617 c7645 8616->8617 8618 a2cc0 8 API calls 8617->8618 8619 c7660 8618->8619 7907 a72e0 7908 c5860 lstrlen 7907->7908 7909 a7353 7908->7909 7910 a5730 2 API calls 7909->7910 7911 a7387 7910->7911 7912 c3840 2 API calls 7911->7912 7913 a742f CreateFileA 7912->7913 7914 a747b 7913->7914 8781 a53e0 8786 a26f0 8781->8786 8789 cec80 8786->8789 8790 cec8a 8789->8790 8792 cecae 8789->8792 8791 bc520 2 API calls 8790->8791 8791->8792 8793 b53e0 8794 a6660 8 API calls 8793->8794 8795 b5425 8794->8795 8800 b5db0 8795->8800 8797 a6660 8 API calls 8799 b54fd 8797->8799 8798 b5444 8798->8797 8801 b5dc1 8800->8801 8802 c6ff0 8 API calls 8801->8802 8803 b5dd1 8802->8803 8803->8798 7919 c24e0 7920 c2500 7919->7920 7921 c5860 lstrlen 7920->7921 7922 c2589 7921->7922 7923 a5730 2 API calls 7922->7923 7924 c259a 7922->7924 7925 c260b 7923->7925 7926 c3840 2 API calls 7925->7926 7927 c2665 7926->7927 7930 ce880 7927->7930 7929 c268c 7931 ce88d 7930->7931 7932 a6660 8 API calls 7931->7932 7933 ce91b 7932->7933 7934 a6590 WaitForSingleObject 7933->7934 7935 ce940 CreateFileA 7934->7935 7936 ce97c 7935->7936 7942 ce996 7935->7942 7938 a5070 ReleaseMutex 7936->7938 7937 ce9b0 ReadFile 7937->7942 7939 ceb8f 7938->7939 7939->7929 7940 d0850 8 API calls 7940->7942 7941 ceb56 CloseHandle 7941->7936 7942->7937 7942->7940 7942->7941 7943 a1890 8 API calls 7942->7943 7944 ceac6 CloseHandle 7942->7944 7943->7942 7945 a5070 ReleaseMutex 7944->7945 7946 ceaf9 7945->7946 7946->7929 8620 c1360 8621 c1383 8620->8621 8622 c5250 8 API calls 8621->8622 8623 c13cc 8622->8623 8624 c4ae0 8 API calls 8623->8624 8625 c13e6 8624->8625 8807 ccbe0 8808 ccc70 8807->8808 8809 a6460 2 API calls 8808->8809 8811 cccd6 8809->8811 8810 ccd3a GetComputerNameA 8812 ccd55 8810->8812 8820 cce1e 8810->8820 8811->8810 8814 a5730 2 API calls 8812->8814 8813 a5730 2 API calls 8815 ccefb 8813->8815 8816 ccd6b 8814->8816 8817 c3840 2 API calls 8815->8817 8818 c3840 2 API calls 8816->8818 8819 ccf70 8817->8819 8818->8820 8821 ab980 9 API calls 8819->8821 8820->8813 8822 ccf8c 8821->8822 8823 a4460 8 API calls 8822->8823 8824 ccfaa 8823->8824 8903 cdb50 8824->8903 8826 cd075 8939 a40b0 lstrlen 8826->8939 8828 cd094 8829 c4a90 9 API calls 8828->8829 8830 cd0f2 8829->8830 8831 c5810 8 API calls 8830->8831 8832 cd101 8831->8832 8833 a4460 8 API calls 8832->8833 8834 cd132 8833->8834 8835 c4a90 9 API calls 8834->8835 8836 cd16a 8835->8836 8837 c5810 8 API calls 8836->8837 8838 cd179 8837->8838 8839 a4460 8 API calls 8838->8839 8840 cd1d2 8839->8840 8841 c4a90 9 API calls 8840->8841 8842 cd1f7 8841->8842 8843 c5810 8 API calls 8842->8843 8844 cd206 8843->8844 8845 a4460 8 API calls 8844->8845 8846 cd22d 8845->8846 8847 c4a90 9 API calls 8846->8847 8848 cd26f 8847->8848 8849 c5810 8 API calls 8848->8849 8850 cd27b 8849->8850 8851 a4460 8 API calls 8850->8851 8852 cd297 8851->8852 8853 c4a90 9 API calls 8852->8853 8854 cd2dc 8853->8854 8855 c5810 8 API calls 8854->8855 8856 cd2eb 8855->8856 8857 a4460 8 API calls 8856->8857 8858 cd30a 8857->8858 8859 a5730 2 API calls 8858->8859 8860 cd32a 8859->8860 8861 c4a90 9 API calls 8860->8861 8862 cd345 8861->8862 8863 c5810 8 API calls 8862->8863 8864 cd354 8863->8864 8865 c3840 2 API calls 8864->8865 8866 cd381 8865->8866 8867 a4460 8 API calls 8866->8867 8868 cd3a2 8867->8868 8869 c4a90 9 API calls 8868->8869 8870 cd3cf 8869->8870 8871 c5810 8 API calls 8870->8871 8872 cd3db 8871->8872 8873 a4460 8 API calls 8872->8873 8874 cd3fd 8873->8874 8875 c4a90 9 API calls 8874->8875 8876 cd42a 8875->8876 8877 c5810 8 API calls 8876->8877 8878 cd439 8877->8878 8879 a4460 8 API calls 8878->8879 8880 cd46e 8879->8880 8940 c4c30 8880->8940 8884 cd4e7 8885 c4a90 9 API calls 8884->8885 8886 cd4f3 8885->8886 8887 c5810 8 API calls 8886->8887 8888 cd502 8887->8888 8889 a4460 8 API calls 8888->8889 8890 cd523 8889->8890 8891 c4a90 9 API calls 8890->8891 8892 cd56f 8891->8892 8893 c5810 8 API calls 8892->8893 8894 cd57e 8893->8894 8895 c8ba0 9 API calls 8894->8895 8896 cd5c0 8895->8896 8897 a6660 8 API calls 8896->8897 8898 cd5dd 8897->8898 8899 a1890 8 API calls 8898->8899 8900 cd622 8899->8900 8950 a3a00 8900->8950 8902 cd666 8904 cdbe3 8903->8904 8905 a5730 2 API calls 8904->8905 8906 cdc8b 8905->8906 8907 c3840 2 API calls 8906->8907 8908 cdcbc GetProcessHeap 8907->8908 8910 cdd5f 8908->8910 8911 cdd41 8908->8911 8912 a5730 2 API calls 8910->8912 8911->8826 8913 cdd86 LoadLibraryA 8912->8913 8915 c3840 2 API calls 8913->8915 8916 cddd8 8915->8916 8917 cdde9 8916->8917 8918 a5730 2 API calls 8916->8918 8917->8826 8919 cde42 GetProcAddress 8918->8919 8920 cde75 8919->8920 8921 c3840 2 API calls 8920->8921 8922 cde87 8921->8922 8923 cdeab FreeLibrary 8922->8923 8924 cded7 HeapAlloc 8922->8924 8923->8826 8925 cdf2b FreeLibrary 8924->8925 8926 cdf52 8924->8926 8925->8826 8927 ce06a 8926->8927 8928 cdfa6 HeapFree HeapAlloc 8926->8928 8931 a5730 2 API calls 8927->8931 8934 ce294 8927->8934 8928->8927 8929 ce027 FreeLibrary 8928->8929 8929->8826 8930 ce637 HeapFree FreeLibrary 8930->8826 8932 ce0c0 8931->8932 8933 c3840 2 API calls 8932->8933 8935 ce0e8 8933->8935 8934->8930 8935->8934 8936 a5730 2 API calls 8935->8936 8937 ce2e0 8936->8937 8938 c3840 2 API calls 8937->8938 8938->8934 8939->8828 8941 c4c55 8940->8941 8942 a5730 2 API calls 8941->8942 8943 c4cb8 8942->8943 8944 c3840 2 API calls 8943->8944 8945 c4ce3 8944->8945 8946 bccf0 8945->8946 8947 bcd1f 8946->8947 8957 a40b0 lstrlen 8947->8957 8949 bcd6e 8949->8884 8951 b7330 12 API calls 8950->8951 8952 a3a17 8951->8952 8953 c2300 2 API calls 8952->8953 8954 a3a58 8953->8954 8955 a1890 8 API calls 8954->8955 8956 a3af6 8954->8956 8955->8956 8956->8902 8957->8949 7951 b84f0 7952 b850d 7951->7952 7961 a40b0 lstrlen 7952->7961 7954 b8575 7955 d0850 8 API calls 7954->7955 7956 b858f 7955->7956 7962 c38a0 7956->7962 7961->7954 7963 cc550 7962->7963 7972 a40b0 lstrlen 7963->7972 7965 cc5e0 7966 a1890 8 API calls 7965->7966 7967 b85b9 7966->7967 7968 c4ae0 7967->7968 7969 c4aee 7968->7969 7970 a1890 8 API calls 7969->7970 7971 b8617 7970->7971 7972->7965 8634 bbf70 8637 a40b0 lstrlen 8634->8637 8636 bbfcb 8637->8636 7973 c3af0 7974 c3b2c 7973->7974 7977 a40b0 lstrlen 7974->7977 7976 c3c1a 7976->7976 7977->7976 7978 cf6f0 7983 b7330 7978->7983 7981 a1890 8 API calls 7982 cf776 7981->7982 7988 a2cc0 7983->7988 7985 b73ac 7985->7981 7986 c7040 8 API calls 7987 b7342 7986->7987 7987->7985 7987->7986 7989 a2d1d 7988->7989 7990 a2cd3 7988->7990 7989->7987 7991 a6660 8 API calls 7990->7991 7991->7989

                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                              Function 000B2490 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 918fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 0 b2490-b24da call cee20 3 b24dc 0->3 4 b24e6-b24f9 0->4 3->4 5 b24fb 4->5 6 b2505-b25ca GetVersionExA call cc640 call bd0d0 4->6 5->6 11 b2758-b277f 6->11 12 b25d0-b25e0 6->12 13 b2789-b27c9 call a5730 call ab980 11->13 14 b25e2-b25fb 12->14 15 b2616 12->15 29 b27cb-b27db 13->29 30 b27e3-b281d call c3840 call ce820 call c7610 call c3060 13->30 16 b260a-b2614 14->16 17 b25fd-b2608 14->17 18 b2620-b2640 call b8090 15->18 16->18 17->18 24 b2642-b264f 18->24 25 b2656-b26a8 18->25 24->25 27 b26aa 25->27 28 b26b4-b270c call c50d0 CreateDirectoryA call a5730 25->28 27->28 38 b2711-b2756 call c50d0 call c3840 28->38 29->30 31 b27dd 29->31 48 b28bc-b297f call b8090 call c50d0 CreateDirectoryA call cf8f0 30->48 49 b2823-b28b7 DeleteFileA RemoveDirectoryA 30->49 31->30 38->13 56 b29ab-b2ad9 call c5860 CreateDirectoryA call a5730 call c50d0 call a5730 call c3840 call ab980 call c3840 call ce820 call c7610 call c3060 48->56 57 b2981-b29a5 48->57 49->48 78 b2adf-b2af0 56->78 79 b3405-b340a 56->79 57->56 80 b2af2-b2b4f call a5730 call abba0 call c3840 78->80 81 b2b54-b2b99 call a5730 78->81 82 b340d-b341f 79->82 109 b2c24-b2c5e 80->109 92 b2b9b-b2ba8 81->92 93 b2baa-b2bc6 81->93 84 b342b-b346c call c5860 SetFileAttributesA 82->84 85 b3421 82->85 95 b346e-b347d 84->95 96 b34b3-b34de call c9e60 84->96 85->84 97 b2bcc-b2c1e call abba0 call c3840 92->97 93->97 100 b347f-b3494 95->100 101 b3496-b34ad 95->101 107 b34ea-b34f5 call d0840 96->107 108 b34e0 96->108 97->109 100->96 101->96 108->107 112 b2c6a-b2cfe call c50d0 CreateDirectoryA call cf8f0 109->112 113 b2c60 109->113 119 b2d00-b2d16 112->119 120 b2d24-b2d3e 112->120 113->112 121 b2d18-b2d22 119->121 122 b2d45-b2e4e call c5860 CreateDirectoryA call a5730 call c50d0 call a5730 call c3840 call ab980 call c3840 119->122 120->122 121->122 137 b2e6f-b2e94 call ce820 call c7610 call c3060 122->137 138 b2e50-b2e68 122->138 145 b2e9a-b2f08 GetTempPathA call a40b0 137->145 146 b33ee 137->146 138->137 150 b2f0e 145->150 151 b3000-b3015 145->151 148 b33f1-b3403 146->148 148->82 154 b2f13-b2f2a 150->154 152 b302b-b30bb call cf8f0 call c5860 CreateDirectoryA call a5730 151->152 153 b3017-b3024 151->153 172 b30cd-b312d call c50d0 call a5730 152->172 173 b30bd-b30c8 152->173 153->152 156 b2f2c-b2f3b 154->156 157 b2f41-b2f49 154->157 156->157 159 b2f4b-b2f5b 157->159 160 b2f80-b2fca 157->160 164 b2f5d-b2f6d 159->164 165 b2f75-b2f79 159->165 161 b2fcc-b2fe8 160->161 162 b2ff6 160->162 161->162 166 b2fea-b2ff0 161->166 162->151 164->165 168 b2f6f 164->168 165->154 169 b2f7b 165->169 166->162 168->165 169->151 178 b3139-b31ce call c3840 call ab980 call c3840 call ce820 call c7610 call c3060 172->178 179 b312f 172->179 173->172 192 b33c7-b33ec 178->192 193 b31d4-b324d GetTempPathA call cf8f0 178->193 179->178 192->148 196 b324f-b3289 193->196 197 b32a5-b32d2 call a5730 193->197 196->197 198 b328b-b329e 196->198 201 b32ee-b3352 call c50d0 call c3840 197->201 202 b32d4-b32e7 197->202 198->197 207 b33a3-b33c0 201->207 208 b3354-b337f 201->208 202->201 207->192 209 b3381-b3395 208->209 210 b3397-b33a1 208->210 209->192 210->192
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetVersionExA.KERNEL32(000EEAC8), ref: 000B2572
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 000B26EF
                                                                                                                                                                                                              • DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 000B2843
                                                                                                                                                                                                              • RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 000B289F
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 000B293F
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000B29E1
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 000B2CAC
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 000B2D6E
                                                                                                                                                                                                              • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 000B2EB0
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 000B307B
                                                                                                                                                                                                              • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 000B31FA
                                                                                                                                                                                                              • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 000B344D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                              • String ID: C:\Windows\system32\config\systemprofile$C:\daxjjwrfm\$Wq0O$\
                                                                                                                                                                                                              • API String ID: 1691758827-4043548932
                                                                                                                                                                                                              • Opcode ID: 569bb66026727e547d58760e87819f5d021c40407d1d6f1dcef6d4506782d12c
                                                                                                                                                                                                              • Instruction ID: 87acc9f2b3ec79cb01eec3e7816153f2a02152d6a6a55fc29006e7c254a3a964
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 569bb66026727e547d58760e87819f5d021c40407d1d6f1dcef6d4506782d12c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 248226B1A01285CBF704DF64ECD2ABA37B5F754B11B10812BE905EF2A1EB7C9941CB61
                                                                                                                                                                                                              Function 000C3060 Relevance: 4.8, APIs: 3, Instructions: 287fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 318 c3060-c3093 call bcb00 321 c309f-c30b9 318->321 322 c3095 318->322 323 c30ee-c311f 321->323 324 c30bb-c30cd 321->324 322->321 326 c3144-c315f 323->326 327 c3121-c312d 323->327 324->323 325 c30cf-c30e8 324->325 325->323 330 c3161-c317b 326->330 331 c3182-c31af call a6590 326->331 328 c312f-c3134 327->328 329 c3136-c313d 327->329 328->326 329->326 330->331 334 c31bd-c31d9 331->334 335 c31b1-c31bb 331->335 336 c31fb-c3203 334->336 337 c31db-c31f5 334->337 335->336 338 c3205-c323f call a5070 336->338 339 c3253-c329a CreateFileA 336->339 337->336 346 c324b-c3252 338->346 347 c3241 338->347 341 c329c-c32a9 339->341 342 c32b0-c32b2 339->342 341->342 344 c32b4-c32f4 call a5070 342->344 345 c3311-c333f 342->345 354 c3309-c3310 344->354 355 c32f6-c3303 344->355 349 c3340-c3350 345->349 347->346 350 c3352-c3381 349->350 351 c3383-c3394 349->351 353 c339e-c33b9 350->353 351->353 356 c33bb 353->356 357 c33c5-c33f7 call c1a30 353->357 355->354 356->357 360 c340d-c348d call aaed0 WriteFile 357->360 361 c33f9-c3406 357->361 360->349 364 c3493-c34be 360->364 361->360 365 c34cc 364->365 366 c34c0-c34ca 364->366 367 c34d6-c350a CloseHandle 365->367 366->367 368 c350c-c3521 367->368 369 c3527-c3546 call a5070 367->369 368->369
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 000C327A
                                                                                                                                                                                                              • WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 000C344B
                                                                                                                                                                                                              • CloseHandle.KERNELBASE(?), ref: 000C34DA
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1065093856-0
                                                                                                                                                                                                              • Opcode ID: 82d4771bf7b06b16cfe93b9f0bd549e7e101a43c2f756ccd9485ab7163d5591b
                                                                                                                                                                                                              • Instruction ID: b6088611a9a0b0f8dc8aaa7d29f0d22596e0228b93b1763a8c67b26edb68e424
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 82d4771bf7b06b16cfe93b9f0bd549e7e101a43c2f756ccd9485ab7163d5591b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3BC1D076A21690CBF304CF68FCC1AAA33E5F754B25B14811BE805EF265E77C9981CB50
                                                                                                                                                                                                              Function 000AB150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156filetimeCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 211 ab150-ab1a7 212 ab1bb-ab1fc CreateFileA 211->212 213 ab1a9-ab1b5 211->213 214 ab1fe-ab21b 212->214 215 ab21c-ab25e GetFileTime 212->215 213->212 216 ab260-ab283 CloseHandle 215->216 217 ab284-ab2ac 215->217 218 ab2b8-ab34a call cf840 GetFileSize CloseHandle 217->218 219 ab2ae 217->219 222 ab36c-ab36f 218->222 223 ab34c-ab35e 218->223 219->218 225 ab38c-ab39e 222->225 226 ab371-ab38b 222->226 223->222 224 ab360-ab365 223->224 224->222
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 000AB1D7
                                                                                                                                                                                                              • GetFileTime.KERNEL32(00000000,?,?,?), ref: 000AB256
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 000AB26B
                                                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000AB2E7
                                                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 000AB31A
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 000AB334
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                              • String ID: td9k
                                                                                                                                                                                                              • API String ID: 3236713533-1579400769
                                                                                                                                                                                                              • Opcode ID: 7dddfd65d1c49bbaa2c22b67d08ce43b1585ad0f40d9dca6f6c253134a4bf1ed
                                                                                                                                                                                                              • Instruction ID: 8d0b353ce76084141e7f749db556df9526b489f627e07b909f2013d3bfb2ebae
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7dddfd65d1c49bbaa2c22b67d08ce43b1585ad0f40d9dca6f6c253134a4bf1ed
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C351E7756062859BF304DF68FCC0A6A77B5FB84B14F10826BE809DF260E7789940CF95
                                                                                                                                                                                                              Function 000C1E90 Relevance: 10.7, APIs: 7, Instructions: 238processCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 227 c1e90-c1f1a 228 c1f1c-c1f32 227->228 229 c1f4f 227->229 230 c1f59-c1f7d CreateToolhelp32Snapshot 228->230 231 c1f34-c1f4d 228->231 229->230 232 c1f8f-c1f91 230->232 233 c1f7f-c1f8a 230->233 231->230 234 c228b-c229e 232->234 235 c1f97-c1fba 232->235 233->232 236 c22b0-c22e3 call c9e60 234->236 237 c22a0-c22aa 234->237 238 c1fbc-c1fce 235->238 239 c1fd4-c1fee Process32First 235->239 245 c22ef-c22f2 236->245 246 c22e5 236->246 237->236 238->239 241 c1ff4 239->241 242 c2255-c2281 CloseHandle 239->242 244 c2000-c2063 call cf8f0 call b2290 call c1d60 241->244 242->234 253 c21e9-c224f Process32Next 244->253 254 c2069-c208c 244->254 246->245 253->242 253->244 255 c208e 254->255 256 c2098-c20c2 OpenProcess 254->256 255->256 257 c20c4-c20dc 256->257 258 c2102-c2104 256->258 259 c20de-c20f1 257->259 260 c20f3-c20fb 257->260 261 c21dc-c21e6 258->261 262 c210a-c2164 TerminateProcess 258->262 259->258 260->258 261->253 263 c217a-c21a1 CloseHandle 262->263 264 c2166-c2173 262->264 265 c21d2 263->265 266 c21a3-c21ba 263->266 264->263 265->261 267 c21bc-c21c2 266->267 268 c21c4-c21d0 266->268 267->261 268->261
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000C1F5E
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,00000128), ref: 000C1FDC
                                                                                                                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000C20A2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3397401024-0
                                                                                                                                                                                                              • Opcode ID: fc70e331f7b647f43a1a27ed46146782552da5ed04df3dd1c3ae3295990c6140
                                                                                                                                                                                                              • Instruction ID: d5cee05cb7bdced5bae0e381ce9eae32c2056194a753fe72356db3494ebd3cc2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fc70e331f7b647f43a1a27ed46146782552da5ed04df3dd1c3ae3295990c6140
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 38A1EE75602281DBF318DF14EDD1AA973A6FB64B10B00812FDC06EA675E73C9A40CF60
                                                                                                                                                                                                              Function 000C38B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116processCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 269 c38b0-c38d2 270 c38d4-c38e1 269->270 271 c38e7-c38ff 269->271 270->271 272 c392b-c3937 271->272 273 c3901-c3926 271->273 274 c3939-c3961 272->274 275 c3976-c3992 call c9e60 272->275 273->272 274->275 276 c3963-c3970 274->276 279 c39a8-c3a18 call c9e60 CreateProcessA 275->279 280 c3994-c39a1 275->280 276->275 283 c3a1a-c3a24 279->283 284 c3a64-c3a79 279->284 280->279 285 c3a3a-c3a62 CloseHandle * 2 283->285 286 c3a26-c3a33 283->286 287 c3a7f-c3a94 284->287 285->287 286->285
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000008,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 000C3A0F
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 000C3A3E
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 000C3A52
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                              • String ID: D
                                                                                                                                                                                                              • API String ID: 2922976086-2746444292
                                                                                                                                                                                                              • Opcode ID: 95b76cd297ae5959acae51075e0d95adb8037e8e6ab16ebd8304d4af74fb2f90
                                                                                                                                                                                                              • Instruction ID: a114bc0bf912e2b097e42fd1cae6afa3279883183edb239ee636c80fa57b3672
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 95b76cd297ae5959acae51075e0d95adb8037e8e6ab16ebd8304d4af74fb2f90
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2041FE71A122459BFB08CF58EDD1BA937B5FB58B05F00801FE906EB2A4D7B8A940CB55
                                                                                                                                                                                                              Function 000BC250 Relevance: 6.1, APIs: 4, Instructions: 148processCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 288 bc250-bc26e 289 bc29a-bc2d0 288->289 290 bc270-bc28e 288->290 292 bc2e2-bc326 CreateToolhelp32Snapshot 289->292 293 bc2d2-bc2dd 289->293 290->289 291 bc290 290->291 291->289 294 bc32c-bc381 Process32First 292->294 295 bc4e5-bc51e call c9e60 292->295 293->292 296 bc4ca-bc4db CloseHandle 294->296 297 bc387 294->297 296->295 299 bc390-bc3d5 call cf8f0 297->299 303 bc3e9-bc40d 299->303 304 bc3d7-bc3e7 299->304 305 bc414-bc43f call b2290 call c1d60 303->305 304->305 310 bc441-bc49c Process32Next 305->310 311 bc4a4-bc4c3 305->311 310->299 312 bc4a2 310->312 311->296 312->296
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000BC312
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,?), ref: 000BC35A
                                                                                                                                                                                                              • Process32Next.KERNEL32(00000000,00000128), ref: 000BC478
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Process32$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1238713047-0
                                                                                                                                                                                                              • Opcode ID: d451c2dc6d1c55748c647ed23daca88357854d7b14c251cd3411ae63b65b6ac4
                                                                                                                                                                                                              • Instruction ID: 00a2f028587fd54fade82d7947a2e4923c7edf9b7b60ba7e1a8a525384a49474
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d451c2dc6d1c55748c647ed23daca88357854d7b14c251cd3411ae63b65b6ac4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0B513675602291CBF714CF20FDD5AA937B5FB54B01F00801BE806AE2A4EB7C8A40CF61
                                                                                                                                                                                                              Function 000BC520 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 313 bc520-bc52d 314 bc52f-bc53c 313->314 315 bc543-bc565 GetProcessHeap RtlFreeHeap 313->315 314->315 316 bc57c-bc57d 315->316 317 bc567-bc576 315->317 317->316
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,N,?,000D0A4E,00000000), ref: 000BC549
                                                                                                                                                                                                              • RtlFreeHeap.NTDLL(00000000,?,000D0A4E,00000000), ref: 000BC550
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$FreeProcess
                                                                                                                                                                                                              • String ID: N
                                                                                                                                                                                                              • API String ID: 3859560861-18607599
                                                                                                                                                                                                              • Opcode ID: 9e101f185f34021851a3675117394c76c604df97e54c4992b51f43b095c0f3ac
                                                                                                                                                                                                              • Instruction ID: 96d1656f41cba590a8d2b88007f497611a084d3e782e542557ae284057a672a0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9e101f185f34021851a3675117394c76c604df97e54c4992b51f43b095c0f3ac
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 57F0A0718092449FF608CF58ECD5A6537E4AB04B00B40440AE90ADB621D778A8C0CB7A
                                                                                                                                                                                                              Function 000CC640 Relevance: 4.6, APIs: 3, Instructions: 120memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 372 cc640-cc650 373 cc664-cc6b9 372->373 374 cc652-cc65e 372->374 375 cc6ea-cc71e AllocateAndInitializeSid 373->375 376 cc6bb-cc6d7 373->376 374->373 379 cc724-cc73f CheckTokenMembership 375->379 380 cc7f1-cc819 375->380 377 cc6d9-cc6de 376->377 378 cc6e0 376->378 377->375 378->375 381 cc77a-cc7ad FreeSid 379->381 382 cc741-cc76e 379->382 381->380 384 cc7af-cc7c3 381->384 382->381 383 cc770 382->383 383->381 385 cc7d9-cc7eb 384->385 386 cc7c5-cc7d7 384->386 385->380 386->380
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • AllocateAndInitializeSid.ADVAPI32(000B2591,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,000B2591), ref: 000CC701
                                                                                                                                                                                                              • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 000CC737
                                                                                                                                                                                                              • FreeSid.ADVAPI32(?), ref: 000CC798
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3429775523-0
                                                                                                                                                                                                              • Opcode ID: be5c8f219b0b0cb30173dc01fa766fe8d83b99f143371ee27319aecfeceddc30
                                                                                                                                                                                                              • Instruction ID: 9386aeb9ac1b8e8d39882933a41d93eea373d87f842fe2fbfa5d438bed89c33e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: be5c8f219b0b0cb30173dc01fa766fe8d83b99f143371ee27319aecfeceddc30
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DA41D039606284DFF708CB68EDD5A6A77F5FB58700B50815FE906DB261E738A940CF21
                                                                                                                                                                                                              Function 000B6F00 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 387 b6f00-b6f12 388 b6f43-b6f67 GetProcessHeap RtlAllocateHeap 387->388 389 b6f14-b6f2e 387->389 389->388 390 b6f30-b6f3c 389->390 390->388
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,000B9195,021A1850,?,?,?,?,?,000C6DD6), ref: 000B6F59
                                                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,000B9195,021A1850,?,?,?,?,?,000C6DD6), ref: 000B6F60
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$AllocateProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1357844191-0
                                                                                                                                                                                                              • Opcode ID: 3dbf250bd28e64f9c8eeefbda6d71a19d9ac7dafda9cdc6ee6c9ce8293c3d0da
                                                                                                                                                                                                              • Instruction ID: 24c0f4efd4e4520b2f24a9b1494bbe69ef390deab9de35dc3a146c06708b3dff
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3dbf250bd28e64f9c8eeefbda6d71a19d9ac7dafda9cdc6ee6c9ce8293c3d0da
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FCF020B15017448BEB0CDB64FDC9B213BE9FB10B01704401AF906DB6B0EEBE9440CBA8
                                                                                                                                                                                                              Function 000B2290 Relevance: 3.0, APIs: 2, Instructions: 21stringCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 391 b2290-b22df lstrlen CharLowerBuffA
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 000B22A2
                                                                                                                                                                                                              • CharLowerBuffA.USER32(?,00000000), ref: 000B22BE
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 794975171-0
                                                                                                                                                                                                              • Opcode ID: d9ad0804795f67f49ba85aea370ccb1b7b49090ffc1101a37d601f7f71ee423c
                                                                                                                                                                                                              • Instruction ID: 0d218284b92bedf7b12c9eefb6a931d9eb40d581929eac19c5b2253588fa3203
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d9ad0804795f67f49ba85aea370ccb1b7b49090ffc1101a37d601f7f71ee423c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C1E0DF321015A49BA3009F98FE884F5B3E8FB14B063085066E98DEA170EB2C6841C3A2
                                                                                                                                                                                                              Function 000C2780 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 392 c2780-c27b0 call aad30 ExitProcess
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ExitProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 621844428-0
                                                                                                                                                                                                              • Opcode ID: 3c85f98d95fbfbf7bca59f14bbac07f7413dce407331c5968decc49d84bc3334
                                                                                                                                                                                                              • Instruction ID: 7f8c7ea22c85c7a6a4e49f91cbbaa0862bafb6985123e7c9b219c5cf4f6c1daf
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3c85f98d95fbfbf7bca59f14bbac07f7413dce407331c5968decc49d84bc3334
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 83D05E70120788CA9700AFA4FCC562137ACFB40B407401429A8058F264E37CE681C7E1

                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                              Function 000CEEB0 Relevance: 33.7, APIs: 15, Strings: 4, Instructions: 444pipeprocessfileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 405 ceeb0-cefc4 call c9e60 408 cefc6 405->408 409 cefd0-cf013 CreatePipe 405->409 408->409 410 cf038-cf048 409->410 411 cf015-cf033 409->411 413 cf07f-cf0ae SetHandleInformation CreatePipe 410->413 414 cf04a-cf061 410->414 412 cf3cc-cf3f2 411->412 419 cf5df-cf5eb 412->419 420 cf3f8-cf40f 412->420 417 cf104-cf12e 413->417 418 cf0b0-cf0cd 413->418 415 cf075 414->415 416 cf063-cf073 414->416 415->413 416->413 423 cf140-cf165 SetHandleInformation 417->423 424 cf130-cf13b 417->424 421 cf377-cf3a3 CloseHandle 418->421 422 cf0d3-cf0ff 418->422 425 cf5f1-cf610 call a6660 419->425 420->425 426 cf415-cf425 420->426 429 cf3af-cf3c6 421->429 430 cf3a5-cf3a9 CloseHandle 421->430 422->421 427 cf197-cf214 call c9e60 * 2 423->427 428 cf167-cf176 423->428 424->423 435 cf617-cf637 425->435 426->425 440 cf228-cf26e 427->440 441 cf216-cf222 427->441 432 cf178-cf182 428->432 433 cf184-cf191 428->433 429->412 429->435 430->429 432->427 433->427 442 cf297-cf2de CreateProcessA 440->442 443 cf270-cf290 440->443 441->440 444 cf325-cf337 442->444 445 cf2e0-cf306 442->445 443->442 446 cf33d-cf33f 444->446 445->446 447 cf308-cf323 445->447 448 cf42a-cf44e WriteFile 446->448 449 cf345 446->449 447->446 450 cf49f-cf4b1 448->450 451 cf450-cf469 448->451 452 cf34f-cf36d CloseHandle * 2 449->452 454 cf4d0-cf500 CloseHandle * 2 450->454 455 cf4b3-cf4c9 450->455 451->452 453 cf46f-cf48a 451->453 452->421 453->452 456 cf490-cf49a 453->456 457 cf50c-cf5d8 call c1720 WaitForSingleObject CloseHandle * 2 454->457 458 cf502 454->458 455->454 456->452 457->419 458->457
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000,00000001), ref: 000CF00B
                                                                                                                                                                                                              • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 000CF086
                                                                                                                                                                                                              • CreatePipe.KERNEL32(?,00000000,0000000C,00000000), ref: 000CF0A6
                                                                                                                                                                                                              • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 000CF147
                                                                                                                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 000CF2C2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 000CF353
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 000CF367
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 000CF37B
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 000CF3A9
                                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 000CF446
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 000CF4D4
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 000CF4E8
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,00002710), ref: 000CF56B
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 000CF586
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 000CF5A7
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                              • String ID: ;8\w$<,]8$D$^K
                                                                                                                                                                                                              • API String ID: 1130065513-1617536871
                                                                                                                                                                                                              • Opcode ID: ee45c13b49e87ec7ea71eb26e74546c1264afe6f4abc59d920e59ca332bb51ac
                                                                                                                                                                                                              • Instruction ID: bdf609da975a03ef5f8c689c7a397c6318e273cdb473524950e6922ff74f08da
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ee45c13b49e87ec7ea71eb26e74546c1264afe6f4abc59d920e59ca332bb51ac
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5312CF71605285DFE708CF68EDC5ABA37B6F758B11B14812FE806EB264E73C9940CB61
                                                                                                                                                                                                              Function 000CB7F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 000CB8EC
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,00000128), ref: 000CBA96
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFirstProcess32SnapshotToolhelp32
                                                                                                                                                                                                              • String ID: 9y8
                                                                                                                                                                                                              • API String ID: 2353314856-3592070472
                                                                                                                                                                                                              • Opcode ID: 960480ddf9eb9e801264665fd3dde503b44a210da654aac56187c0776708e153
                                                                                                                                                                                                              • Instruction ID: cd6243f3c696d8043c8ec6bfadd5babe3da1aa5662e00e58c34278c7eff8600d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 960480ddf9eb9e801264665fd3dde503b44a210da654aac56187c0776708e153
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 07F1D2716112918BF718CF28EDD2A6937F5F794B10B04811FE806EB275EB7C9981CB61
                                                                                                                                                                                                              Function 000B8200 Relevance: 13.7, APIs: 9, Instructions: 167serviceCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 000B826F
                                                                                                                                                                                                              • CreateServiceA.ADVAPI32(00000000,00BAE1F8,00BAE1F8,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 000B82CA
                                                                                                                                                                                                              • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 000B8301
                                                                                                                                                                                                              • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 000B8323
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 000B833A
                                                                                                                                                                                                              • OpenServiceA.ADVAPI32(00000000,00BAE1F8,00000010), ref: 000B838B
                                                                                                                                                                                                              • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 000B83C2
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 000B8408
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 000B8481
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3525021261-0
                                                                                                                                                                                                              • Opcode ID: 8b78010f6ee0415ba996eefe6edd81904228cb4dc04e46ec24b050cf2f31c721
                                                                                                                                                                                                              • Instruction ID: ca62f801433cf3697ca7039dd43a8fb32e375ddab9a5694806f4dd21e956a47b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8b78010f6ee0415ba996eefe6edd81904228cb4dc04e46ec24b050cf2f31c721
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C6619A716066819BF3148B28FDC6B7537F8F754B01F14811BE945EA2B0EB7C9981CB61
                                                                                                                                                                                                              Function 000A60A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186filesleepCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 000A40B0: lstrlen.KERNEL32(?,?,000A1038,?), ref: 000A40DD
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 000A6189
                                                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?), ref: 000A6274
                                                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 000A632E
                                                                                                                                                                                                              • FindNextFileA.KERNEL32(?,?), ref: 000A6384
                                                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 000A63AA
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FileFind$CloseDeleteFirstNextSleeplstrlen
                                                                                                                                                                                                              • String ID: ysh
                                                                                                                                                                                                              • API String ID: 3282225923-1904326249
                                                                                                                                                                                                              • Opcode ID: f343d1a4f289493efc99600daafcf6f1d3200c24c3ad6737e76550ca8702e10a
                                                                                                                                                                                                              • Instruction ID: 358c0b43d6d05277b84b8f9a1137cf467f31ac321ba00d36399da1dd50e0f76d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f343d1a4f289493efc99600daafcf6f1d3200c24c3ad6737e76550ca8702e10a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9D811771901284DFF718DF64FDC2AA577B5FBA4B00F14815AE905AB2B0EB7C8941CB61
                                                                                                                                                                                                              Function 000CA050 Relevance: 7.8, APIs: 5, Instructions: 288serviceCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000,00000001), ref: 000CA124
                                                                                                                                                                                                              • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,0000000A,?,00000000,?,00000000,00000001), ref: 000CA164
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00000000,00000001), ref: 000CA176
                                                                                                                                                                                                              • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,-0000001A,0000000A,?,00000000,00000001), ref: 000CA24F
                                                                                                                                                                                                                • Part of subcall function 000ABBA0: wvsprintfA.USER32(00000000,?,000C09D1), ref: 000ABBEB
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,00000001), ref: 000CA44C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenServicewvsprintf
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 475583450-0
                                                                                                                                                                                                              • Opcode ID: 06c334d233f486617f58fa397c6815d04ef5cc43faae2974ef71ef4bd5e8b4ed
                                                                                                                                                                                                              • Instruction ID: 31ed7980d7692bea477db2e0686332e9f803fd1a297f5dafb171965a3b12df83
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 06c334d233f486617f58fa397c6815d04ef5cc43faae2974ef71ef4bd5e8b4ed
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5CC1C471A01284DBF354CF64FDC1AAA77F5FB95B14B00812BE905EF2A0E7789941CB62
                                                                                                                                                                                                              Function 000AB531 Relevance: 12.2, APIs: 8, Instructions: 192registrysynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegisterServiceCtrlHandlerA.ADVAPI32(00BAE1F8,Function_00014290,E4E0A1C8,?,?,00000072), ref: 000AB669
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,000E67EC,?,?,00000072), ref: 000AB70D
                                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000072), ref: 000AB721
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,000E67EC,?,?,00000072), ref: 000AB771
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,00001388,?,?,00000072), ref: 000AB7D0
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,000E67EC,00000072), ref: 000AB82A
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 000AB841
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,000E67EC), ref: 000AB8AA
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3399922960-0
                                                                                                                                                                                                              • Opcode ID: cfcf041b511d8cdc9cc110ff536ff3e3750b93f34bd4dfac37c00a2ae6b1722e
                                                                                                                                                                                                              • Instruction ID: 0b822858af5c3f7c2b494eae099b9377cc7b0dc935ac4e2e4819c88f45614c64
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cfcf041b511d8cdc9cc110ff536ff3e3750b93f34bd4dfac37c00a2ae6b1722e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CB81CB7660A2D1CFF308CF29FDD58263BA1F768B05700851BE946AE2B5EB7D9441CB60
                                                                                                                                                                                                              Function 000CA760 Relevance: 10.8, APIs: 7, Instructions: 266fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,000000FF), ref: 000CA7F1
                                                                                                                                                                                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,000000FF), ref: 000CA849
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,000000FF), ref: 000CA885
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 000CA8B8
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 000CAA75
                                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,000000FF,?,?,00000000), ref: 000CAAC8
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000CAAE2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3478262135-0
                                                                                                                                                                                                              • Opcode ID: a8256ef979cb28c6de68f11587de6bddcba8d0039231a74a4474fe62ed44506d
                                                                                                                                                                                                              • Instruction ID: 100c90032a1079f8af353fcdc2bcf456ef7f6457af7c37bb1d32f681ed9bccc3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a8256ef979cb28c6de68f11587de6bddcba8d0039231a74a4474fe62ed44506d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 71A1F6756012809BF304DF64ECC2BBA33B5EB89B15F14401AF905EF2A5E77C9841CB66
                                                                                                                                                                                                              Function 000C1950 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,000C8262,Function_00001300,00000001,?), ref: 000C199B
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 000C19C2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,000C8262,Function_00001300,00000001,?), ref: 000C19DD
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,000C8262,Function_00001300,00000001,?), ref: 000C19F2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,000000FF,?,000C8262,Function_00001300,00000001,?), ref: 000C1A19
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1404307249-0
                                                                                                                                                                                                              • Opcode ID: 803f0749ba3a8f2dd57d6c2074fbb681d41df5ecf8a60f0b780a7b02301c2406
                                                                                                                                                                                                              • Instruction ID: 81035d989fc105b3c614516128b42ec99dc3f98429f77c053065c32441e03ef7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 803f0749ba3a8f2dd57d6c2074fbb681d41df5ecf8a60f0b780a7b02301c2406
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BF21C0352063009FE314DF60ECD5B663BA4FB58B10F10811AF946AE6B4D7B9A840CF65
                                                                                                                                                                                                              Function 000B7110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 000B7221
                                                                                                                                                                                                              • RegSetValueExA.ADVAPI32(?,00BB1C70,00000000,00000001,?,00000000), ref: 000B72E0
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 000B7300
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseOpenValue
                                                                                                                                                                                                              • String ID: IR
                                                                                                                                                                                                              • API String ID: 779948276-3379982419
                                                                                                                                                                                                              • Opcode ID: 06db3419d1fcc4a4f6518152c0960569fe952cd0916fafe4ed6071d947008f29
                                                                                                                                                                                                              • Instruction ID: 4f53a1cb707dfa39a267da0ad6bc158ab62fde3a75e78a8f831bfb194b38257c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 06db3419d1fcc4a4f6518152c0960569fe952cd0916fafe4ed6071d947008f29
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2F4134752162909BF704DB28FCC5ABA37F5E794B11B14802BEC0AEB271E7BC8441DB65
                                                                                                                                                                                                              Function 000CE880 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 000CE966
                                                                                                                                                                                                              • ReadFile.KERNEL32(00000000,?,00005000,00000000,00000000), ref: 000CE9D7
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 000CEADD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandleRead
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1035965006-0
                                                                                                                                                                                                              • Opcode ID: 80b51a5e929794dca0ea4d759970d35f65b4c30a3be018b8ed65c2c674e879e5
                                                                                                                                                                                                              • Instruction ID: 7ba4785a0715d5806e8f96347ab443403e12cbdc72a82210202d703fb39d79a5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 80b51a5e929794dca0ea4d759970d35f65b4c30a3be018b8ed65c2c674e879e5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0181DF75602244DBF704DF68FC91BAA33F5F794B10F00855BE9059B2A1EB38A841CF65
                                                                                                                                                                                                              Function 000CFAD0 Relevance: 6.0, APIs: 4, Instructions: 28memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,000D0A87,00000000,?,?,?,?,?,00000001), ref: 000CFAF7
                                                                                                                                                                                                              • RtlReAllocateHeap.NTDLL(00000000,?,000D0A87,00000000), ref: 000CFAFE
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,000D0A87,00000000,?,?,?,?,?,00000001), ref: 000CFB19
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000,?,000D0A87,00000000,?,?,?,?,?,00000001), ref: 000CFB20
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1154092256-0
                                                                                                                                                                                                              • Opcode ID: 7988c93b1ab2bb2dc5b3356d117fa3e952b4dc5f0df4fdc175c35b57ecdc651a
                                                                                                                                                                                                              • Instruction ID: 3ec43dcd4ee55399c9b11a6019a5c48c806c1f3ac2dcc724eff7dc0f094b9bb3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7988c93b1ab2bb2dc5b3356d117fa3e952b4dc5f0df4fdc175c35b57ecdc651a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 11F03071112245EFFB049FB0FC49A6A3B69FF88B51F108045FD09DA6A0EB399940CB71
                                                                                                                                                                                                              Function 000A3DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetSystemTimeAsFileTime.KERNEL32(00000001,00000001,00000000,00000001,00000000), ref: 000A3E43
                                                                                                                                                                                                              • __aulldiv.LIBCMT ref: 000A3E74
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Time$FileSystem__aulldiv
                                                                                                                                                                                                              • String ID: L9<8
                                                                                                                                                                                                              • API String ID: 2838486344-2160928743
                                                                                                                                                                                                              • Opcode ID: 315d4ecf004d470ed980e853942af3af9063cc04f2a0eb5677ba56ee3d7126e2
                                                                                                                                                                                                              • Instruction ID: ed40cc72fa3a9a678b226b3707d7243b628796064e921938c65896fb154ca9d3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 315d4ecf004d470ed980e853942af3af9063cc04f2a0eb5677ba56ee3d7126e2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 07412376A122908FE758CF84FCD156977B6FB96B14310812FE807AF6A1D33C9941CBA1
                                                                                                                                                                                                              Function 000C99B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000004.00000002.2941536142.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941519142.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941564264.00000000000D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941579088.00000000000D3000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2941945731.00000000000EE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000004.00000002.2942023000.00000000000EF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_a0000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountSystemTickTime
                                                                                                                                                                                                              • String ID: @(l$
                                                                                                                                                                                                              • API String ID: 2164215191-2034585603
                                                                                                                                                                                                              • Opcode ID: e022d6b9a1c6bdc6d47de9775193bb2670a637d0d46394bc461f7d51aefaf872
                                                                                                                                                                                                              • Instruction ID: 48d9ced1e25090c14d5db78e4f46f596db0fa94807db9272d088186aaeb29f2c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e022d6b9a1c6bdc6d47de9775193bb2670a637d0d46394bc461f7d51aefaf872
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E041A072902290CBF344DF28ECC296A37A1FB94B15314812BD846EE671EB7D9941CB61

                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                              Execution Coverage:7%
                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                                                                              Total number of Nodes:1927
                                                                                                                                                                                                              Total number of Limit Nodes:19
                                                                                                                                                                                                              execution_graph 10479 c23c40 10482 c25f00 10479->10482 10485 c42320 10482->10485 10484 c23c4f 10486 c4232e 10485->10486 10489 c240b0 lstrlen 10486->10489 10488 c4233a 10488->10484 10489->10488 10667 c219c0 10668 c219ed 10667->10668 10669 c25730 2 API calls 10668->10669 10670 c21a44 10669->10670 10721 c2bba0 wvsprintfA 10670->10721 10672 c21a77 10673 c43840 2 API calls 10672->10673 10674 c21a89 10673->10674 10675 c438a0 9 API calls 10674->10675 10676 c21ac4 10675->10676 10677 c438a0 9 API calls 10676->10677 10678 c21b37 10677->10678 10679 c25f40 8 API calls 10678->10679 10680 c21b4b 10679->10680 10681 c25f40 8 API calls 10680->10681 10682 c21b97 10681->10682 10722 c4b7f0 10682->10722 10684 c21baa 10746 c4a050 OpenSCManagerA 10684->10746 10686 c21bd4 10687 c48ba0 9 API calls 10686->10687 10688 c21c03 10687->10688 10770 c336f0 10688->10770 10690 c21c16 10691 c25730 2 API calls 10690->10691 10692 c21c4f 10691->10692 10693 c2b980 9 API calls 10692->10693 10694 c21c71 10693->10694 10695 c43840 2 API calls 10694->10695 10696 c21c83 10695->10696 10697 c35b60 8 API calls 10696->10697 10698 c21ccd 10697->10698 10699 c45810 8 API calls 10698->10699 10700 c21cd6 10699->10700 10701 c25730 2 API calls 10700->10701 10702 c21cfa 10701->10702 10703 c44a90 9 API calls 10702->10703 10704 c21d5b 10703->10704 10705 c45810 8 API calls 10704->10705 10706 c21d67 10705->10706 10707 c43840 2 API calls 10706->10707 10708 c21d99 10707->10708 10709 c21890 8 API calls 10708->10709 10710 c21df7 10709->10710 10711 c336f0 8 API calls 10710->10711 10712 c21e3b 10711->10712 10713 c497d0 4 API calls 10712->10713 10714 c21e7a 10713->10714 10715 c25730 2 API calls 10714->10715 10716 c21e90 10715->10716 10774 c401b0 10716->10774 10718 c21ebb 10719 c43840 2 API calls 10718->10719 10720 c21f03 10719->10720 10721->10672 10723 c4b82f CreateToolhelp32Snapshot 10722->10723 10725 c4ba05 Process32First 10723->10725 10726 c4b92c 10723->10726 10741 c4babb 10725->10741 10728 c25730 2 API calls 10726->10728 10730 c4b953 10728->10730 10729 c4be7e CloseHandle 10729->10684 10731 c438a0 9 API calls 10730->10731 10732 c4b977 10731->10732 10736 c43840 2 API calls 10732->10736 10734 c4bc51 CreateToolhelp32Snapshot 10734->10741 10735 c25730 GetProcessHeap RtlAllocateHeap 10735->10741 10738 c4b9e6 10736->10738 10737 c4bcde Module32First 10737->10741 10738->10684 10740 c43840 GetProcessHeap RtlFreeHeap 10740->10741 10741->10729 10741->10734 10741->10735 10741->10737 10741->10740 10742 c25f40 8 API calls 10741->10742 10743 c438a0 9 API calls 10741->10743 10745 c4be76 10741->10745 10874 c240b0 lstrlen 10741->10874 10875 c2bba0 wvsprintfA 10741->10875 10744 c4bdfd CloseHandle Process32Next 10742->10744 10743->10741 10744->10741 10745->10729 10747 c4a480 10746->10747 10748 c4a141 EnumServicesStatusA GetLastError 10746->10748 10750 c25730 2 API calls 10747->10750 10749 c4a196 10748->10749 10753 c4a464 10749->10753 10754 c36f00 2 API calls 10749->10754 10751 c4a496 10750->10751 10752 c438a0 9 API calls 10751->10752 10755 c4a4b0 10752->10755 10753->10686 10756 c4a1f4 10754->10756 10757 c43840 2 API calls 10755->10757 10759 c4a441 CloseServiceHandle 10756->10759 10760 c4a22a EnumServicesStatusA 10756->10760 10758 c4a4df 10757->10758 10758->10686 10759->10753 10768 c4a26e 10760->10768 10761 c4a41e 10762 c3c520 2 API calls 10761->10762 10763 c4a434 10762->10763 10763->10759 10764 c240b0 lstrlen 10764->10768 10765 c25730 2 API calls 10765->10768 10767 c43840 2 API calls 10767->10768 10768->10761 10768->10764 10768->10765 10768->10767 10769 c438a0 9 API calls 10768->10769 10876 c2bba0 wvsprintfA 10768->10876 10769->10768 10772 c3370b 10770->10772 10771 c26660 8 API calls 10773 c3386c 10771->10773 10772->10771 10773->10690 10775 c40218 10774->10775 10776 c23dc0 GetSystemTimeAsFileTime 10775->10776 10777 c402bf 10776->10777 10877 c240b0 lstrlen 10777->10877 10779 c40342 10779->10718 10781 c404d8 10879 c240b0 lstrlen 10781->10879 10782 c40300 10782->10779 10878 c240b0 lstrlen 10782->10878 10784 c404e6 10785 c25730 2 API calls 10784->10785 10845 c40b61 10784->10845 10786 c405a8 10785->10786 10787 c2b980 9 API calls 10786->10787 10788 c405c0 10787->10788 10789 c43840 2 API calls 10788->10789 10790 c405d2 10789->10790 10791 c40779 10790->10791 10793 c25730 2 API calls 10790->10793 10792 c44a90 9 API calls 10791->10792 10794 c407b9 10792->10794 10795 c40637 10793->10795 10796 c45810 8 API calls 10794->10796 10797 c275a0 9 API calls 10795->10797 10798 c407c5 10796->10798 10801 c40669 10797->10801 10799 c25730 2 API calls 10798->10799 10800 c407e6 10799->10800 10802 c44a90 9 API calls 10800->10802 10805 c43840 2 API calls 10801->10805 10803 c40810 10802->10803 10804 c45810 8 API calls 10803->10804 10806 c4081c 10804->10806 10808 c406aa 10805->10808 10807 c43840 2 API calls 10806->10807 10809 c4084e 10807->10809 10808->10791 10880 c46b70 10808->10880 10811 c44a90 9 API calls 10809->10811 10813 c4086d 10811->10813 10812 c40712 10814 c25730 2 API calls 10812->10814 10815 c45810 8 API calls 10813->10815 10816 c4074f 10814->10816 10819 c4087c 10815->10819 10817 c2b980 9 API calls 10816->10817 10818 c40767 10817->10818 10820 c43840 2 API calls 10818->10820 10824 c25730 2 API calls 10819->10824 10858 c40a19 10819->10858 10820->10791 10821 c25730 2 API calls 10822 c40a59 10821->10822 10823 c44a90 9 API calls 10822->10823 10825 c40a77 10823->10825 10826 c408e7 10824->10826 10827 c45810 8 API calls 10825->10827 10828 c44a90 9 API calls 10826->10828 10832 c40a83 10827->10832 10829 c40902 10828->10829 10830 c45810 8 API calls 10829->10830 10831 c40911 10830->10831 10834 c25730 2 API calls 10831->10834 10833 c43840 2 API calls 10832->10833 10835 c40acb 10833->10835 10836 c40932 10834->10836 10837 c40b1c socket 10835->10837 10839 c45810 8 API calls 10835->10839 10838 c43840 2 API calls 10836->10838 10837->10845 10846 c40bb0 10837->10846 10840 c40993 10838->10840 10839->10837 10884 c2bba0 wvsprintfA 10840->10884 10841 c40c70 gethostbyname 10842 c40c99 inet_ntoa inet_addr htons connect 10841->10842 10841->10845 10848 c40d44 10842->10848 10853 c40d6d 10842->10853 10845->10718 10846->10841 10847 c40c45 setsockopt 10846->10847 10847->10841 10848->10718 10849 c409d1 10850 c43840 2 API calls 10849->10850 10851 c409e3 10850->10851 10852 c44a90 9 API calls 10851->10852 10854 c40a0a 10852->10854 10855 c40d93 send 10853->10855 10856 c45810 8 API calls 10854->10856 10857 c40daf 10855->10857 10856->10858 10859 c40db3 10857->10859 10860 c26660 8 API calls 10857->10860 10858->10821 10859->10718 10873 c40deb 10860->10873 10861 c40e5b recv 10862 c41275 closesocket 10861->10862 10861->10873 10862->10845 10864 c412ae 10862->10864 10865 c46b70 8 API calls 10864->10865 10865->10845 10866 c50850 8 API calls 10866->10873 10867 c21890 8 API calls 10867->10873 10868 c41265 10868->10862 10869 c43840 GetProcessHeap RtlFreeHeap 10869->10873 10871 c25730 GetProcessHeap RtlAllocateHeap 10871->10873 10872 c275a0 9 API calls 10872->10873 10873->10861 10873->10862 10873->10866 10873->10867 10873->10868 10873->10869 10873->10871 10873->10872 10885 c22bb0 10873->10885 10889 c476d0 10873->10889 10874->10741 10875->10741 10876->10768 10877->10782 10878->10781 10879->10784 10882 c46b8d 10880->10882 10881 c414f0 8 API calls 10883 c46c57 10881->10883 10882->10881 10883->10812 10884->10849 10886 c22bd3 10885->10886 10888 c22c20 10885->10888 10887 c23dc0 GetSystemTimeAsFileTime 10886->10887 10887->10888 10888->10873 10890 c25730 2 API calls 10889->10890 10891 c4770d 10890->10891 10892 c275a0 9 API calls 10891->10892 10893 c47742 10892->10893 10894 c43840 2 API calls 10893->10894 10896 c47786 10894->10896 10895 c477b9 10895->10873 10896->10895 10897 c25730 2 API calls 10896->10897 10898 c47816 10897->10898 10899 c275a0 9 API calls 10898->10899 10900 c47867 10899->10900 10901 c43840 2 API calls 10900->10901 10902 c47898 10901->10902 10902->10873 10316 c3d2c0 10320 c3d2f0 10316->10320 10317 c3d33d 10318 c240b0 lstrlen 10318->10320 10319 c2bba0 wvsprintfA 10319->10320 10320->10317 10320->10318 10320->10319 10329 c224c6 ExitProcess 10330 c43ac0 10333 c45f40 10330->10333 10336 c45070 10333->10336 10335 c43acf 10339 c240b0 lstrlen 10336->10339 10338 c45080 10338->10335 10339->10338 10914 c4edc0 10915 c24e20 8 API calls 10914->10915 10916 c4eddf 10915->10916 10917 c45810 8 API calls 10916->10917 10918 c4edf4 10917->10918 10919 c22dd0 10922 c4fb30 10919->10922 10923 c45070 lstrlen 10922->10923 10924 c22ddf 10923->10924 10925 c48dd6 10931 c48de0 10925->10931 10926 c4969c 10927 c43840 2 API calls 10926->10927 10933 c49705 10927->10933 10928 c25f40 8 API calls 10928->10931 10929 c491c9 10929->10926 10932 c495b0 10929->10932 10934 c25f40 8 API calls 10929->10934 10937 c438a0 9 API calls 10929->10937 10930 c438a0 9 API calls 10930->10931 10931->10928 10931->10929 10931->10930 10932->10926 10935 c25f40 8 API calls 10932->10935 10936 c438a0 9 API calls 10932->10936 10934->10929 10935->10932 10936->10932 10937->10929 11123 c3cf50 11128 c22da0 11123->11128 11137 c47620 11128->11137 11138 c47645 11137->11138 11139 c22cc0 8 API calls 11138->11139 11140 c47660 11139->11140 10350 c4badc 10360 c4bae0 10350->10360 10352 c4bc51 CreateToolhelp32Snapshot 10352->10360 10353 c4bcde Module32First 10353->10360 10354 c25730 GetProcessHeap RtlAllocateHeap 10354->10360 10355 c438a0 9 API calls 10355->10360 10357 c43840 GetProcessHeap RtlFreeHeap 10357->10360 10358 c25f40 8 API calls 10359 c4bdfd CloseHandle Process32Next 10358->10359 10359->10360 10360->10352 10360->10353 10360->10354 10360->10355 10360->10357 10360->10358 10361 c4be76 CloseHandle 10360->10361 10363 c240b0 lstrlen 10360->10363 10364 c2bba0 wvsprintfA 10360->10364 10363->10360 10364->10360 11141 c34d58 11143 c34d60 11141->11143 11142 c35323 11145 c35395 11142->11145 11146 c35389 11142->11146 11143->11142 11144 c37450 2 API calls 11143->11144 11144->11143 11147 c37450 2 API calls 11145->11147 11148 c37450 2 API calls 11146->11148 11149 c35390 11147->11149 11148->11149 10938 c253e0 10943 c226f0 10938->10943 10946 c4ec80 10943->10946 10947 c4ec8a 10946->10947 10949 c4ecae 10946->10949 10948 c3c520 2 API calls 10947->10948 10948->10949 10950 c353e0 10951 c26660 8 API calls 10950->10951 10952 c35425 10951->10952 10957 c35db0 10952->10957 10954 c26660 8 API calls 10956 c354fd 10954->10956 10955 c35444 10955->10954 10958 c35dc1 10957->10958 10959 c46ff0 8 API calls 10958->10959 10960 c35dd1 10959->10960 10960->10955 11150 c41360 11151 c41383 11150->11151 11152 c45250 8 API calls 11151->11152 11153 c413cc 11152->11153 11154 c44ae0 8 API calls 11153->11154 11155 c413e6 11154->11155 11156 c45f60 11157 c45f8f 11156->11157 11160 c4a610 11157->11160 11159 c45fee 11161 c4a64a 11160->11161 11162 c2b9e0 8 API calls 11161->11162 11163 c4a661 11162->11163 11163->11159 10369 c3c8e5 10372 c3c8f0 10369->10372 10370 c3ca18 10372->10370 10373 c270e0 10372->10373 10374 c27110 10373->10374 10376 c27130 10373->10376 10375 c36f00 2 API calls 10374->10375 10377 c27127 10375->10377 10376->10372 10377->10376 10378 c3c520 2 API calls 10377->10378 10378->10376 10379 c47ee8 10382 c47db0 10379->10382 10380 c26660 8 API calls 10381 c485a4 10380->10381 10383 c48354 10382->10383 10384 c4835c 10382->10384 10385 c21890 8 API calls 10382->10385 10387 c25730 GetProcessHeap RtlAllocateHeap 10382->10387 10388 c43840 GetProcessHeap RtlFreeHeap 10382->10388 10389 c482d0 CreateThread CloseHandle 10382->10389 10390 c41950 CreateEventA CreateThread CloseHandle WaitForSingleObject 10382->10390 10384->10380 10385->10382 10387->10382 10388->10382 10389->10382 10391 c41a16 CloseHandle 10390->10391 10392 c41a0c 10390->10392 10391->10382 10392->10391 10964 c41ff6 10970 c42000 10964->10970 10966 c421e9 Process32Next 10967 c42255 CloseHandle 10966->10967 10966->10970 10972 c4228b 10967->10972 10968 c42098 OpenProcess 10968->10970 10969 c4210a TerminateProcess 10969->10970 10971 c4217a CloseHandle 10969->10971 10970->10966 10970->10968 10970->10969 10970->10971 10973 c32290 lstrlen CharLowerBuffA 10970->10973 10971->10970 10973->10970 10393 c384f0 10394 c3850d 10393->10394 10403 c240b0 lstrlen 10394->10403 10396 c38575 10397 c50850 8 API calls 10396->10397 10398 c3858f 10397->10398 10399 c438a0 9 API calls 10398->10399 10400 c385b9 10399->10400 10404 c44ae0 10400->10404 10403->10396 10405 c44aee 10404->10405 10406 c21890 8 API calls 10405->10406 10407 c38617 10406->10407 10413 c4f6f0 10414 c37330 12 API calls 10413->10414 10415 c4f70d 10414->10415 10416 c21890 8 API calls 10415->10416 10417 c4f776 10416->10417 11164 c33f74 11165 c33f80 11164->11165 11166 c33fbd Sleep 11165->11166 11168 c33feb 11165->11168 11167 c23dc0 GetSystemTimeAsFileTime 11166->11167 11167->11165 10502 c21000 10503 c21024 10502->10503 10506 c240b0 lstrlen 10503->10506 10505 c21038 10506->10505 11169 c21300 11170 c2131b 11169->11170 11225 c41a90 11170->11225 11172 c21394 11173 c497d0 4 API calls 11172->11173 11175 c2178c 11172->11175 11174 c213f9 11173->11174 11176 c25730 2 API calls 11174->11176 11177 c21419 11176->11177 11178 c2b980 9 API calls 11177->11178 11179 c2144e 11178->11179 11180 c43840 2 API calls 11179->11180 11181 c21468 11180->11181 11228 c25cc0 11181->11228 11186 c45810 8 API calls 11187 c214ae 11186->11187 11188 c25730 2 API calls 11187->11188 11189 c214e8 11188->11189 11190 c44a90 9 API calls 11189->11190 11191 c2150d 11190->11191 11192 c45810 8 API calls 11191->11192 11193 c21519 11192->11193 11194 c43840 2 API calls 11193->11194 11195 c21533 11194->11195 11196 c35b60 8 API calls 11195->11196 11197 c21573 11196->11197 11198 c45810 8 API calls 11197->11198 11199 c2157c 11198->11199 11200 c46b70 8 API calls 11199->11200 11201 c215a6 11200->11201 11234 c244a0 11201->11234 11203 c215c0 11204 c48ba0 9 API calls 11203->11204 11205 c215fb 11204->11205 11291 c27640 11205->11291 11208 c25730 2 API calls 11209 c21635 11208->11209 11210 c44a90 9 API calls 11209->11210 11211 c21661 11210->11211 11212 c45810 8 API calls 11211->11212 11213 c2166d 11212->11213 11214 c43840 2 API calls 11213->11214 11215 c21694 11214->11215 11216 c21890 8 API calls 11215->11216 11217 c216c2 11216->11217 11218 c26660 8 API calls 11217->11218 11219 c21716 11218->11219 11220 c25730 2 API calls 11219->11220 11221 c21754 11220->11221 11222 c401b0 21 API calls 11221->11222 11223 c2177a 11222->11223 11224 c43840 2 API calls 11223->11224 11224->11175 11226 c21890 8 API calls 11225->11226 11227 c41abf SetEvent 11226->11227 11227->11172 11295 c2ab70 11228->11295 11231 c376c0 11232 c48a40 8 API calls 11231->11232 11233 c214a2 11232->11233 11233->11186 11235 c244c4 11234->11235 11236 c25730 2 API calls 11235->11236 11241 c24611 11235->11241 11237 c245e0 11236->11237 11238 c2b980 9 API calls 11237->11238 11239 c245ff 11238->11239 11240 c43840 2 API calls 11239->11240 11240->11241 11242 c246a4 11241->11242 11243 c24789 11241->11243 11244 c25730 2 API calls 11242->11244 11246 c25730 2 API calls 11243->11246 11245 c246c6 11244->11245 11247 c2b980 9 API calls 11245->11247 11248 c247cf 11246->11248 11249 c246e5 11247->11249 11303 c23640 11248->11303 11250 c43840 2 API calls 11249->11250 11253 c2476a 11250->11253 11252 c247f9 11254 c43840 2 API calls 11252->11254 11253->11203 11255 c24819 11254->11255 11256 c2483f 11255->11256 11257 c248ac 11255->11257 11258 c25730 2 API calls 11256->11258 11316 c25600 GetModuleFileNameA 11257->11316 11260 c24855 11258->11260 11262 c2b980 9 API calls 11260->11262 11266 c24886 11262->11266 11263 c248c9 11267 c25730 2 API calls 11263->11267 11264 c2493c 11265 c25f60 lstrlen 11264->11265 11268 c24967 11265->11268 11269 c43840 2 API calls 11266->11269 11270 c248e9 11267->11270 11318 c4b310 11268->11318 11273 c24898 11269->11273 11271 c2b980 9 API calls 11270->11271 11274 c24901 11271->11274 11273->11203 11276 c43840 2 API calls 11274->11276 11277 c2491f 11276->11277 11277->11203 11280 c25730 2 API calls 11281 c249d2 11280->11281 11282 c43840 2 API calls 11281->11282 11283 c249fd 11282->11283 11326 c240b0 lstrlen 11283->11326 11285 c24a3e 11286 c43060 5 API calls 11285->11286 11287 c24a79 11286->11287 11327 c4eeb0 11287->11327 11290 c24bb6 11290->11203 11292 c2765b 11291->11292 11293 c46ff0 8 API calls 11292->11293 11294 c2161f 11293->11294 11294->11208 11296 c2ab7b 11295->11296 11299 c4c960 11296->11299 11300 c4c97c 11299->11300 11301 c46ff0 8 API calls 11300->11301 11302 c21499 11301->11302 11302->11231 11305 c23672 11303->11305 11304 c236d6 11304->11252 11305->11304 11351 c22710 11305->11351 11309 c237bd 11312 c23772 11309->11312 11361 c26bf0 11309->11361 11311 c23834 11368 c22f90 11311->11368 11379 c44b20 11312->11379 11317 c248c2 11316->11317 11317->11263 11317->11264 11319 c4b367 11318->11319 11320 c24994 11319->11320 11321 c47040 8 API calls 11319->11321 11322 c23480 11320->11322 11321->11320 11324 c234a7 11322->11324 11323 c235ea 11323->11280 11324->11323 11325 c4b310 8 API calls 11324->11325 11325->11324 11326->11285 11328 c4efa4 11327->11328 11329 c4efd0 CreatePipe 11328->11329 11330 c4f038 SetHandleInformation CreatePipe 11329->11330 11334 c4f015 11329->11334 11332 c4f104 SetHandleInformation 11330->11332 11333 c4f0b0 11330->11333 11340 c4f167 11332->11340 11335 c4f377 CloseHandle 11333->11335 11338 c26660 8 API calls 11334->11338 11339 c24b5e DeleteFileA 11334->11339 11335->11334 11337 c4f3a5 CloseHandle 11335->11337 11337->11334 11338->11339 11339->11290 11341 c4f297 CreateProcessA 11340->11341 11342 c4f2e0 11341->11342 11343 c4f345 CloseHandle CloseHandle 11342->11343 11344 c4f42a WriteFile 11342->11344 11343->11335 11344->11343 11345 c4f49f CloseHandle CloseHandle 11344->11345 11348 c4f502 11345->11348 11517 c41720 11348->11517 11352 c2274d 11351->11352 11353 c270e0 4 API calls 11352->11353 11354 c227bd 11353->11354 11355 c452f0 4 API calls 11354->11355 11356 c227e3 11354->11356 11355->11356 11356->11312 11357 c452f0 11356->11357 11358 c45311 11357->11358 11359 c270e0 4 API calls 11358->11359 11360 c4533c 11359->11360 11360->11309 11382 c335f0 11361->11382 11365 c26c50 11394 c485e0 11365->11394 11367 c26c6a 11367->11311 11369 c22f9d 11368->11369 11370 c23470 11369->11370 11406 c4fc20 11369->11406 11370->11312 11372 c25730 2 API calls 11375 c232ab 11372->11375 11373 c2307d 11373->11372 11376 c230f5 11373->11376 11378 c232fa 11373->11378 11374 c25730 2 API calls 11374->11376 11375->11376 11377 c43840 2 API calls 11375->11377 11376->11312 11377->11378 11378->11374 11378->11376 11380 c37450 2 API calls 11379->11380 11381 c23984 11380->11381 11381->11252 11383 c3360f 11382->11383 11384 c25730 2 API calls 11383->11384 11385 c33686 11384->11385 11386 c43840 2 API calls 11385->11386 11387 c26c32 11386->11387 11388 c37bf0 11387->11388 11389 c37c2d 11388->11389 11390 c37de8 11388->11390 11391 c37d1d 11389->11391 11400 c45950 11389->11400 11390->11365 11391->11390 11393 c45950 4 API calls 11391->11393 11393->11391 11395 c48665 11394->11395 11396 c37bf0 4 API calls 11395->11396 11397 c488e3 11396->11397 11398 c37bf0 4 API calls 11397->11398 11399 c48909 11398->11399 11399->11367 11401 c459a4 11400->11401 11402 c25730 2 API calls 11401->11402 11403 c45b5f 11402->11403 11404 c43840 2 API calls 11403->11404 11405 c45e79 11404->11405 11405->11391 11407 c4fc5c 11406->11407 11408 c22710 4 API calls 11407->11408 11410 c4fc82 11408->11410 11409 c37450 2 API calls 11411 c4fda5 11409->11411 11412 c4fcb5 11410->11412 11413 c4fd03 11410->11413 11417 c4fd51 11410->11417 11411->11373 11414 c37450 2 API calls 11412->11414 11418 c34420 11413->11418 11416 c4fcea 11414->11416 11416->11373 11417->11409 11420 c3444f 11418->11420 11419 c353c0 11419->11417 11420->11419 11421 c270e0 4 API calls 11420->11421 11422 c34686 11421->11422 11424 c270e0 4 API calls 11422->11424 11452 c34be5 11422->11452 11423 c35323 11428 c35395 11423->11428 11429 c35389 11423->11429 11425 c346cf 11424->11425 11427 c270e0 4 API calls 11425->11427 11425->11452 11426 c37450 2 API calls 11426->11452 11433 c3470a 11427->11433 11430 c37450 2 API calls 11428->11430 11431 c37450 2 API calls 11429->11431 11432 c35390 11430->11432 11431->11432 11432->11417 11434 c452f0 4 API calls 11433->11434 11444 c3473a 11433->11444 11433->11452 11435 c34789 11434->11435 11435->11452 11454 c33b00 11435->11454 11437 c347b1 11437->11452 11458 c322e0 11437->11458 11438 c3488f 11440 c36dc0 4 API calls 11438->11440 11439 c3487c 11442 c322e0 4 API calls 11439->11442 11443 c3488a 11440->11443 11442->11443 11445 c36dc0 4 API calls 11443->11445 11444->11438 11444->11439 11444->11452 11446 c348eb 11445->11446 11447 c270e0 4 API calls 11446->11447 11446->11452 11448 c34980 11447->11448 11449 c36dc0 4 API calls 11448->11449 11448->11452 11453 c349af 11449->11453 11450 c270e0 4 API calls 11450->11453 11451 c36dc0 4 API calls 11451->11453 11452->11423 11452->11426 11453->11450 11453->11451 11453->11452 11455 c33b94 11454->11455 11456 c270e0 4 API calls 11455->11456 11457 c33bca 11455->11457 11456->11457 11457->11437 11457->11457 11459 c3232a 11458->11459 11466 c35f50 11459->11466 11461 c323cf 11461->11444 11462 c32356 11462->11461 11463 c32396 11462->11463 11464 c267e0 4 API calls 11462->11464 11463->11461 11508 c47930 11463->11508 11464->11462 11468 c35f9b 11466->11468 11467 c35fc0 11467->11462 11468->11467 11469 c360a5 11468->11469 11470 c3603b 11468->11470 11472 c36dc0 4 API calls 11469->11472 11471 c36054 11470->11471 11473 c452f0 4 API calls 11470->11473 11474 c36086 11471->11474 11475 c36dc0 4 API calls 11471->11475 11501 c36079 11471->11501 11477 c360b9 11472->11477 11473->11471 11474->11462 11475->11501 11476 c37450 2 API calls 11478 c36d9a 11476->11478 11479 c36dc0 4 API calls 11477->11479 11477->11501 11478->11462 11480 c3612e 11479->11480 11481 c270e0 4 API calls 11480->11481 11480->11501 11482 c3617a 11481->11482 11483 c452f0 4 API calls 11482->11483 11482->11501 11484 c3619b 11483->11484 11485 c270e0 4 API calls 11484->11485 11484->11501 11486 c361c5 11485->11486 11487 c270e0 4 API calls 11486->11487 11486->11501 11488 c361e7 11487->11488 11489 c33b00 4 API calls 11488->11489 11490 c362c4 11488->11490 11488->11501 11492 c36277 11489->11492 11491 c33b00 4 API calls 11490->11491 11490->11501 11495 c36391 11491->11495 11493 c33b00 4 API calls 11492->11493 11492->11501 11493->11490 11494 c47930 4 API calls 11494->11495 11495->11494 11503 c3641d 11495->11503 11496 c36c28 11497 c36dc0 4 API calls 11496->11497 11498 c36c7a 11496->11498 11497->11498 11499 c36dc0 4 API calls 11498->11499 11498->11501 11499->11501 11500 c452f0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11500->11503 11501->11474 11501->11476 11502 c211a0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11502->11503 11503->11496 11503->11500 11503->11501 11503->11502 11504 c47930 4 API calls 11503->11504 11505 c36dc0 4 API calls 11503->11505 11506 c33b00 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11503->11506 11507 c267e0 4 API calls 11503->11507 11504->11503 11505->11503 11506->11503 11507->11503 11509 c47978 11508->11509 11510 c47b39 11508->11510 11512 c47a45 11509->11512 11513 c4799d 11509->11513 11511 c3c640 4 API calls 11510->11511 11516 c479c4 11511->11516 11514 c464f0 4 API calls 11512->11514 11515 c464f0 4 API calls 11513->11515 11514->11516 11515->11516 11516->11463 11518 c4172d 11517->11518 11519 c26660 8 API calls 11518->11519 11522 c417f3 11519->11522 11520 c4184d ReadFile 11521 c418fa WaitForSingleObject CloseHandle CloseHandle 11520->11521 11520->11522 11521->11334 11522->11520 11522->11521 11523 c21890 8 API calls 11522->11523 11523->11522 11524 c41300 11525 c42320 lstrlen 11524->11525 11526 c4130f 11525->11526 10982 c3c389 10984 c3c390 10982->10984 10985 c3c441 Process32Next 10984->10985 10986 c3c4a2 CloseHandle 10984->10986 10989 c32290 lstrlen CharLowerBuffA 10984->10989 10985->10984 10985->10986 10988 c3c4e5 10986->10988 10989->10984 10507 c41814 10510 c41820 10507->10510 10508 c4184d ReadFile 10509 c418fa 10508->10509 10508->10510 10510->10508 10510->10509 10511 c21890 8 API calls 10510->10511 10511->10510 10426 c25c90 10427 c25c9b 10426->10427 10428 c25ca7 10427->10428 10429 c21fc0 2 API calls 10427->10429 10429->10428 10990 c45b96 10991 c45ba0 10990->10991 10992 c43840 2 API calls 10991->10992 10993 c45e79 10992->10993 10434 c34290 10435 c342b3 10434->10435 10436 c342ba SetServiceStatus 10434->10436 10435->10436 10437 c342d3 10435->10437 10438 c342e7 SetServiceStatus SetEvent 10435->10438 10440 c34350 10436->10440 10437->10438 10438->10440 10516 c4fe10 10517 c4fe46 10516->10517 10518 c499b0 3 API calls 10517->10518 10519 c4ff15 10518->10519 10520 c260a0 10 API calls 10519->10520 10521 c4ff81 10520->10521 10522 c45860 lstrlen 10521->10522 10523 c4ff97 10522->10523 10524 c25730 2 API calls 10523->10524 10525 c4ffcc 10524->10525 10526 c43840 2 API calls 10525->10526 10529 c50021 10526->10529 10527 c26660 8 API calls 10528 c5074e Sleep 10527->10528 10528->10529 10529->10527 10531 c3c250 6 API calls 10529->10531 10532 c438b0 3 API calls 10529->10532 10533 c23dc0 GetSystemTimeAsFileTime 10529->10533 10535 c4c080 12 API calls 10529->10535 10536 c42950 32 API calls 10529->10536 10537 c2b980 9 API calls 10529->10537 10538 c45810 8 API calls 10529->10538 10539 c24460 8 API calls 10529->10539 10541 c25730 GetProcessHeap RtlAllocateHeap 10529->10541 10542 c401b0 21 API calls 10529->10542 10543 c43840 GetProcessHeap RtlFreeHeap 10529->10543 10544 c35520 27 API calls 10529->10544 10545 c497d0 10529->10545 10556 c35b60 10529->10556 10562 c33880 10529->10562 10531->10529 10532->10529 10533->10529 10535->10529 10536->10529 10537->10529 10538->10529 10539->10529 10541->10529 10542->10529 10543->10529 10544->10529 10546 c25730 2 API calls 10545->10546 10547 c49826 10546->10547 10548 c25730 2 API calls 10547->10548 10549 c49841 10548->10549 10569 c377f0 10549->10569 10552 c43840 2 API calls 10553 c49877 10552->10553 10554 c43840 2 API calls 10553->10554 10555 c498b6 10554->10555 10555->10529 10557 c35b8e 10556->10557 10558 c42300 2 API calls 10557->10558 10559 c35bf4 10558->10559 10560 c21890 8 API calls 10559->10560 10561 c35cf8 10559->10561 10560->10561 10561->10529 10568 c33898 10562->10568 10563 c3398b DeleteFileA 10563->10568 10564 c33aa3 10564->10529 10566 c33a31 10566->10564 10580 c49bd0 10566->10580 10568->10563 10568->10564 10568->10566 10575 c2bab0 10568->10575 10570 c3781d 10569->10570 10571 c25730 2 API calls 10570->10571 10572 c37b66 10571->10572 10573 c43840 2 API calls 10572->10573 10574 c37b95 10573->10574 10574->10552 10584 c4c460 10575->10584 10577 c2bacd 10588 c22870 10577->10588 10581 c49c07 10580->10581 10582 c49c9b 10581->10582 10603 c21060 10581->10603 10582->10566 10585 c4c478 10584->10585 10586 c50850 8 API calls 10585->10586 10587 c4c4b6 10586->10587 10587->10577 10589 c2287e 10588->10589 10590 c22890 10589->10590 10592 c24e20 10589->10592 10590->10568 10595 c48a40 10592->10595 10594 c24e2f 10594->10590 10596 c48a52 10595->10596 10599 c2baf0 10596->10599 10598 c48a68 10598->10594 10600 c2bafb 10599->10600 10601 c3cb30 8 API calls 10600->10601 10602 c2bb3c 10601->10602 10602->10598 10606 c44d20 10603->10606 10607 c44d4b 10606->10607 10608 c414f0 8 API calls 10607->10608 10609 c2106e 10608->10609 10609->10582 11527 c46d10 11528 c46d4b 11527->11528 11529 c22ef0 2 API calls 11528->11529 11530 c46d50 11529->11530 11531 c220e0 3 API calls 11530->11531 11532 c46d5f 11531->11532 10441 c37496 10443 c374a0 10441->10443 10442 c375ba 10443->10442 10444 c3c520 2 API calls 10443->10444 10444->10443 10445 c228a0 10446 c228b0 10445->10446 10447 c228c2 10446->10447 10448 c22a0c ReadFile 10446->10448 10449 c22a31 10448->10449 10450 c220a0 10451 c220b7 10450->10451 10452 c251d0 8 API calls 10451->10452 10453 c220ce 10452->10453 11001 c377a1 11002 c377aa 11001->11002 11003 c25730 2 API calls 11002->11003 11004 c37b66 11003->11004 11005 c43840 2 API calls 11004->11005 11006 c37b95 11005->11006 10610 c42420 FlushFileBuffers 10611 c42460 GetLastError 10610->10611 10612 c424a2 10610->10612 10613 c42820 10614 c42873 10613->10614 10617 c267e0 10614->10617 10618 c2681a 10617->10618 10619 c2690b 10617->10619 10621 c26834 10618->10621 10622 c268bf 10618->10622 10635 c3c640 10619->10635 10626 c464f0 10621->10626 10623 c464f0 4 API calls 10622->10623 10625 c26849 10623->10625 10628 c46532 10626->10628 10627 c46567 10627->10625 10628->10627 10630 c465c5 10628->10630 10643 c36dc0 10628->10643 10631 c36dc0 4 API calls 10630->10631 10632 c46684 10630->10632 10631->10632 10648 c37450 10632->10648 10636 c3c6a0 10635->10636 10637 c3c756 10636->10637 10638 c36dc0 4 API calls 10636->10638 10639 c270e0 4 API calls 10637->10639 10640 c3ca18 10637->10640 10638->10637 10642 c3c7ba 10639->10642 10640->10625 10641 c270e0 4 API calls 10641->10642 10642->10640 10642->10641 10644 c36df3 10643->10644 10645 c36df9 10643->10645 10644->10630 10646 c270e0 4 API calls 10645->10646 10647 c36e71 10646->10647 10647->10630 10649 c375ba 10648->10649 10650 c3748f 10648->10650 10649->10625 10650->10649 10651 c3c520 2 API calls 10650->10651 10651->10650 10652 c34a29 10662 c34a30 10652->10662 10653 c270e0 4 API calls 10653->10662 10654 c35323 10657 c35395 10654->10657 10658 c35389 10654->10658 10655 c36dc0 4 API calls 10655->10662 10656 c37450 2 API calls 10663 c34be5 10656->10663 10659 c37450 2 API calls 10657->10659 10660 c37450 2 API calls 10658->10660 10661 c35390 10659->10661 10660->10661 10662->10653 10662->10655 10662->10663 10663->10654 10663->10656 11007 c47da8 11011 c47db0 11007->11011 11008 c4835c 11009 c26660 8 API calls 11008->11009 11010 c485a4 11009->11010 11011->11008 11012 c21890 8 API calls 11011->11012 11013 c48354 11011->11013 11014 c25730 GetProcessHeap RtlAllocateHeap 11011->11014 11015 c41950 5 API calls 11011->11015 11016 c43840 GetProcessHeap RtlFreeHeap 11011->11016 11017 c482d0 CreateThread CloseHandle 11011->11017 11012->11011 11014->11011 11015->11011 11016->11011 11017->11011 10664 c22630 10665 c251d0 8 API calls 10664->10665 10666 c2265b 10665->10666 10454 c3beb0 10455 c3bec8 10454->10455 10460 c240b0 lstrlen 10455->10460 10457 c3bf13 10461 c24090 10457->10461 10460->10457 10464 c26670 10461->10464 10463 c240aa 10465 c2668f 10464->10465 10466 c266f1 10465->10466 10467 c266fe 10465->10467 10471 c414f0 10466->10471 10470 c266fc 10467->10470 10475 c2b9e0 10467->10475 10470->10463 10472 c4152d 10471->10472 10473 c50850 8 API calls 10472->10473 10474 c415b9 10473->10474 10474->10470 10476 c2b9ff 10475->10476 10477 c3cb30 8 API calls 10476->10477 10478 c2ba40 10477->10478 10478->10470 11542 c2b531 11543 c2b5ae RegisterServiceCtrlHandlerA 11542->11543 11547 c2b696 11543->11547 11545 c2b8ba 11546 c2b702 SetServiceStatus CreateEventA SetServiceStatus 11548 c2b7a2 11546->11548 11549 c2b7b0 WaitForSingleObject 11546->11549 11547->11545 11547->11546 11548->11549 11549->11549 11550 c2b7dd 11549->11550 11551 c26590 WaitForSingleObject 11550->11551 11552 c2b7f4 SetServiceStatus CloseHandle SetServiceStatus 11551->11552 11552->11545 11021 c44db0 11022 c44ddf 11021->11022 11023 c4fad0 4 API calls 11022->11023 11024 c44e33 11022->11024 11023->11024 9247 c46d32 9248 c46d4b 9247->9248 9253 c22ef0 9248->9253 9252 c46d5f 9260 c33d60 9253->9260 9255 c22f36 9256 c220e0 GetStdHandle GetStdHandle 9255->9256 9257 c22177 GetStdHandle 9256->9257 9258 c2215b 9256->9258 9259 c221bc 9257->9259 9258->9257 9259->9252 9261 c33d84 9260->9261 9262 c33d9f GetProcessHeap HeapAlloc 9260->9262 9261->9262 9262->9255 9263 c3b73a 9264 c3b7d3 9263->9264 9268 c300c1 9264->9268 9471 c30ae8 9264->9471 9610 c43840 9268->9610 9272 c3010b 9273 c43840 2 API calls 9272->9273 9274 c3013a 9273->9274 9275 c25730 2 API calls 9274->9275 9276 c30180 9275->9276 9277 c43840 2 API calls 9276->9277 9278 c301a9 9277->9278 9279 c25730 2 API calls 9278->9279 9280 c301f9 9279->9280 9281 c43840 2 API calls 9280->9281 9282 c30219 9281->9282 9283 c25730 2 API calls 9282->9283 9284 c3027a 9283->9284 9285 c43840 2 API calls 9284->9285 9286 c30292 9285->9286 9287 c43840 2 API calls 9286->9287 9288 c302d0 9287->9288 9618 c3c520 9288->9618 9292 c3036d 9293 c25730 2 API calls 9292->9293 9294 c303c5 GetEnvironmentVariableA 9293->9294 9296 c43840 2 API calls 9294->9296 9297 c30414 CreateMutexA CreateMutexA CreateMutexA 9296->9297 9627 c26460 9297->9627 9299 c304b5 9300 c3060b 9299->9300 9302 c3056a 9299->9302 9303 c3057f GetTickCount 9299->9303 9631 c32490 9300->9631 9302->9303 9305 c30593 9303->9305 9304 c3061a GetCommandLineA 9309 c30652 9304->9309 9307 c25730 2 API calls 9305->9307 9308 c305a9 9307->9308 9311 c43840 2 API calls 9308->9311 9310 c25730 2 API calls 9309->9310 9312 c306e3 9310->9312 9313 c305de 9311->9313 9314 c43840 2 API calls 9312->9314 9313->9300 9315 c30711 9314->9315 9316 c311fc GetCommandLineA 9315->9316 9317 c25730 2 API calls 9315->9317 9730 c3bf70 9316->9730 9321 c3077b 9317->9321 9319 c3121a 9733 c240b0 lstrlen 9319->9733 9322 c43840 2 API calls 9321->9322 9323 c307ff 9322->9323 9324 c30845 9323->9324 9326 c42780 ExitProcess 9323->9326 9327 c25730 2 API calls 9324->9327 9326->9324 9330 c3087a 9327->9330 9328 c31257 GetModuleFileNameA 9734 c32290 lstrlen CharLowerBuffA 9328->9734 9332 c43840 2 API calls 9330->9332 9331 c31347 9735 c32290 lstrlen CharLowerBuffA 9331->9735 9333 c308ea 9332->9333 9335 c30931 9333->9335 9337 c42780 ExitProcess 9333->9337 9748 c45860 9335->9748 9336 c313cd 9736 c32290 lstrlen CharLowerBuffA 9336->9736 9337->9335 9341 c25730 2 API calls 9344 c30972 9341->9344 9342 c316fa 9737 c272e0 9342->9737 9346 c43840 2 API calls 9344->9346 9345 c31752 9347 c3177a 9345->9347 9745 c42780 9345->9745 9367 c309f1 9346->9367 9819 c4cbe0 9347->9819 9351 c317df 9353 c23dc0 GetSystemTimeAsFileTime 9351->9353 9354 c31805 9353->9354 9915 c25f60 9354->9915 9355 c31406 9355->9342 9797 c37f00 9355->9797 9359 c30bbd Sleep 9361 c2b150 5 API calls 9359->9361 9360 c31523 9803 c260a0 9360->9803 9364 c30bfc 9361->9364 9364->9367 9366 c316cf 9370 c42780 ExitProcess 9366->9370 9367->9359 9369 c30cd0 Sleep 9367->9369 9374 c30cf4 9367->9374 9754 c3c250 9367->9754 9764 c2b150 9367->9764 9773 c23dc0 9367->9773 9368 c3156e 9368->9366 9371 c25730 2 API calls 9368->9371 9369->9367 9370->9342 9373 c3160a 9371->9373 9372 c3182e 9375 c3192c WSAStartup 9372->9375 9818 c240b0 lstrlen 9373->9818 9377 c3c250 6 API calls 9374->9377 9383 c30d81 9374->9383 9384 c30df4 9374->9384 9378 c31965 9375->9378 9387 c319c2 9375->9387 9377->9374 9380 c25730 2 API calls 9378->9380 9379 c3161f MessageBoxA 9382 c31682 9379->9382 9381 c3197b 9380->9381 9919 c3d060 9381->9919 9386 c43840 2 API calls 9382->9386 9777 c41e90 9383->9777 9385 c2b150 5 API calls 9384->9385 9390 c30e1c 9385->9390 9392 c316a3 9386->9392 9393 c31a73 9387->9393 9924 c424e0 9387->9924 9389 c30da0 Sleep 9389->9374 9389->9384 9394 c31178 9390->9394 9398 c30e9a GetModuleFileNameA SetFileAttributesA CopyFileA 9390->9398 9401 c30e88 9390->9401 9395 c42780 ExitProcess 9392->9395 9402 c31ab4 CloseHandle SetFileAttributesA CopyFileA 9393->9402 9416 c31d89 9393->9416 9790 c438b0 9394->9790 9395->9366 9403 c25730 2 API calls 9398->9403 9399 c31a22 9404 c31a43 9399->9404 9408 c42780 ExitProcess 9399->9408 9401->9398 9405 c31b15 SetFileAttributesA 9402->9405 9406 c31cf0 9402->9406 9407 c30f2b 9403->9407 9935 c33ec0 9404->9935 9420 c31b60 9405->9420 9967 c26590 WaitForSingleObject 9406->9967 9415 c43840 2 API calls 9407->9415 9408->9404 9412 c42780 ExitProcess 9412->9316 9414 c3c250 6 API calls 9414->9416 9418 c30f61 9415->9418 9416->9414 9417 c31e13 SetFileAttributesA CopyFileA 9416->9417 9421 c41e90 9 API calls 9416->9421 9422 c31e62 9417->9422 9423 c31e74 SetFileAttributesA 9417->9423 9425 c30ff1 9418->9425 9433 c25730 2 API calls 9418->9433 9419 c31bf1 9429 c31c4e Sleep 9419->9429 9956 c37110 9419->9956 9420->9419 9943 c38200 9420->9943 9426 c31de4 Sleep 9421->9426 9422->9423 9428 c45860 lstrlen 9423->9428 9424 c42780 ExitProcess 9424->9416 9431 c310d7 SetFileAttributesA 9425->9431 9432 c31085 SetFileAttributesA 9425->9432 9426->9416 9426->9417 9434 c31e97 9428->9434 9438 c31cc6 9429->9438 9440 c310f9 9431->9440 9432->9440 9441 c30fab 9433->9441 9437 c25730 2 API calls 9434->9437 9443 c31ec7 9437->9443 9439 c438b0 3 API calls 9438->9439 9439->9406 9440->9394 9442 c43840 2 API calls 9441->9442 9442->9425 9444 c25730 2 API calls 9443->9444 9445 c31f1f 9444->9445 9446 c43840 2 API calls 9445->9446 9447 c31f36 9446->9447 9969 c435c0 9447->9969 9449 c31f4d 9450 c43840 2 API calls 9449->9450 9451 c31f6e 9450->9451 9976 c4c080 9451->9976 9454 c25730 2 API calls 9455 c31fa9 9454->9455 9456 c25730 2 API calls 9455->9456 9457 c31fcd 9456->9457 9997 c2bba0 wvsprintfA 9457->9997 9459 c31fed 9460 c43840 2 API calls 9459->9460 9461 c32017 9460->9461 9462 c43840 2 API calls 9461->9462 9463 c32047 9462->9463 9464 c438b0 3 API calls 9463->9464 9466 c320a3 9464->9466 9465 c32185 CreateThread 9467 c321b3 9465->9467 9468 c321ca 9465->9468 9466->9465 9998 c45010 StartServiceCtrlDispatcherA 9467->9998 9470 c321f0 Sleep 9468->9470 9470->9470 9478 c30af0 9471->9478 9472 c3c250 6 API calls 9472->9478 9473 c2b150 5 API calls 9473->9478 9474 c30bbd Sleep 9475 c2b150 5 API calls 9474->9475 9477 c30bfc 9475->9477 9476 c23dc0 GetSystemTimeAsFileTime 9476->9478 9477->9478 9478->9472 9478->9473 9478->9474 9478->9476 9479 c30cd0 Sleep 9478->9479 9480 c30cf4 9478->9480 9479->9478 9481 c3c250 6 API calls 9480->9481 9482 c30d81 9480->9482 9483 c30df4 9480->9483 9481->9480 9485 c41e90 9 API calls 9482->9485 9484 c2b150 5 API calls 9483->9484 9487 c30e1c 9484->9487 9486 c30da0 Sleep 9485->9486 9486->9480 9486->9483 9488 c31178 9487->9488 9490 c30e9a GetModuleFileNameA SetFileAttributesA CopyFileA 9487->9490 9492 c30e88 9487->9492 9489 c438b0 3 API calls 9488->9489 9491 c3119f 9489->9491 9493 c25730 2 API calls 9490->9493 9495 c42780 ExitProcess 9491->9495 9492->9490 9494 c30f2b 9493->9494 9498 c43840 2 API calls 9494->9498 9496 c311fc GetCommandLineA 9495->9496 9497 c3bf70 lstrlen 9496->9497 9499 c3121a 9497->9499 9500 c30f61 9498->9500 10309 c240b0 lstrlen 9499->10309 9502 c25730 2 API calls 9500->9502 9512 c30ff1 9500->9512 9501 c310d7 SetFileAttributesA 9506 c310f9 9501->9506 9507 c30fab 9502->9507 9505 c31085 SetFileAttributesA 9505->9506 9506->9488 9509 c43840 2 API calls 9507->9509 9509->9512 9510 c31257 GetModuleFileNameA 10310 c32290 lstrlen CharLowerBuffA 9510->10310 9512->9501 9512->9505 9513 c31347 10311 c32290 lstrlen CharLowerBuffA 9513->10311 9515 c313cd 10312 c32290 lstrlen CharLowerBuffA 9515->10312 9517 c316fa 9518 c272e0 6 API calls 9517->9518 9519 c31752 9518->9519 9520 c3177a 9519->9520 9521 c42780 ExitProcess 9519->9521 9523 c4cbe0 25 API calls 9520->9523 9521->9520 9524 c317df 9523->9524 9525 c23dc0 GetSystemTimeAsFileTime 9524->9525 9526 c31805 9525->9526 9528 c25f60 lstrlen 9526->9528 9527 c31406 9527->9517 9529 c37f00 16 API calls 9527->9529 9537 c3182e 9528->9537 9530 c31523 9529->9530 9532 c260a0 10 API calls 9530->9532 9534 c3156e 9532->9534 9533 c316cf 9535 c42780 ExitProcess 9533->9535 9534->9533 9536 c25730 2 API calls 9534->9536 9535->9517 9538 c3160a 9536->9538 9539 c3192c WSAStartup 9537->9539 10313 c240b0 lstrlen 9538->10313 9541 c31965 9539->9541 9547 c319c2 9539->9547 9543 c25730 2 API calls 9541->9543 9542 c3161f MessageBoxA 9545 c31682 9542->9545 9544 c3197b 9543->9544 9548 c3d060 2 API calls 9544->9548 9546 c43840 2 API calls 9545->9546 9549 c316a3 9546->9549 9550 c31a73 9547->9550 9552 c424e0 15 API calls 9547->9552 9548->9547 9551 c42780 ExitProcess 9549->9551 9554 c31ab4 CloseHandle SetFileAttributesA CopyFileA 9550->9554 9564 c31d89 9550->9564 9551->9533 9553 c31a22 9552->9553 9555 c31a43 9553->9555 9558 c42780 ExitProcess 9553->9558 9556 c31b15 SetFileAttributesA 9554->9556 9557 c31cf0 9554->9557 9559 c33ec0 2 API calls 9555->9559 9567 c31b60 9556->9567 9560 c26590 WaitForSingleObject 9557->9560 9558->9555 9559->9550 9562 c31d49 9560->9562 9571 c42780 ExitProcess 9562->9571 9563 c3c250 6 API calls 9563->9564 9564->9563 9565 c31e13 SetFileAttributesA CopyFileA 9564->9565 9568 c41e90 9 API calls 9564->9568 9569 c31e62 9565->9569 9570 c31e74 SetFileAttributesA 9565->9570 9566 c31bf1 9575 c31c4e Sleep 9566->9575 9576 c37110 8 API calls 9566->9576 9567->9566 9573 c38200 9 API calls 9567->9573 9572 c31de4 Sleep 9568->9572 9569->9570 9574 c45860 lstrlen 9570->9574 9571->9564 9572->9564 9572->9565 9573->9566 9577 c31e97 9574->9577 9580 c31cc6 9575->9580 9576->9575 9579 c25730 2 API calls 9577->9579 9582 c31ec7 9579->9582 9581 c438b0 3 API calls 9580->9581 9581->9557 9583 c25730 2 API calls 9582->9583 9584 c31f1f 9583->9584 9585 c43840 2 API calls 9584->9585 9586 c31f36 9585->9586 9587 c435c0 3 API calls 9586->9587 9588 c31f4d 9587->9588 9589 c43840 2 API calls 9588->9589 9590 c31f6e 9589->9590 9591 c4c080 12 API calls 9590->9591 9592 c31f93 9591->9592 9593 c25730 2 API calls 9592->9593 9594 c31fa9 9593->9594 9595 c25730 2 API calls 9594->9595 9596 c31fcd 9595->9596 10314 c2bba0 wvsprintfA 9596->10314 9598 c31fed 9599 c43840 2 API calls 9598->9599 9600 c32017 9599->9600 9601 c43840 2 API calls 9600->9601 9602 c32047 9601->9602 9603 c438b0 3 API calls 9602->9603 9605 c320a3 9603->9605 9604 c32185 CreateThread 9606 c321b3 9604->9606 9607 c321ca 9604->9607 9605->9604 10315 c45010 StartServiceCtrlDispatcherA 9606->10315 9609 c321f0 Sleep 9607->9609 9609->9609 9611 c43863 9610->9611 9612 c3c520 2 API calls 9611->9612 9613 c300d0 9612->9613 9614 c25730 9613->9614 9615 c25776 9614->9615 9999 c36f00 9615->9999 9617 c2580a 9617->9272 9619 c3c543 GetProcessHeap RtlFreeHeap 9618->9619 9620 c3c52f 9618->9620 9621 c3031a 9619->9621 9620->9619 9622 c499b0 GetSystemTime 9621->9622 9623 c49a49 9622->9623 9624 c23dc0 GetSystemTimeAsFileTime 9623->9624 9625 c49b45 GetTickCount 9624->9625 9626 c49b83 9625->9626 9626->9292 9628 c50bf0 9627->9628 9629 c36f00 2 API calls 9628->9629 9630 c50c06 9629->9630 9630->9299 9633 c324c4 9631->9633 9632 c32505 GetVersionExA 10002 c4c640 9632->10002 9633->9632 9637 c3273f 9639 c25730 2 API calls 9637->9639 9641 c3279f 9639->9641 10025 c2b980 9641->10025 9644 c3262c 9646 c326c7 CreateDirectoryA 9644->9646 9645 c43840 2 API calls 9649 c327eb 9645->9649 9647 c25730 2 API calls 9646->9647 9648 c32711 9647->9648 9650 c43840 2 API calls 9648->9650 10028 c43060 9649->10028 9650->9637 9652 c32818 9653 c32823 DeleteFileA RemoveDirectoryA 9652->9653 9654 c328bc 9652->9654 9653->9654 9655 c38090 6 API calls 9654->9655 9656 c328e8 9655->9656 9657 c3291f CreateDirectoryA 9656->9657 9658 c3296a 9657->9658 9659 c45860 lstrlen 9658->9659 9660 c329cb CreateDirectoryA 9659->9660 9661 c25730 2 API calls 9660->9661 9662 c32a0b 9661->9662 9663 c25730 2 API calls 9662->9663 9664 c32a44 9663->9664 9665 c43840 2 API calls 9664->9665 9666 c32a60 9665->9666 9667 c2b980 9 API calls 9666->9667 9668 c32a7c 9667->9668 9669 c43840 2 API calls 9668->9669 9670 c32a96 9669->9670 9671 c43060 5 API calls 9670->9671 9672 c32ad4 9671->9672 9673 c33405 9672->9673 9674 c32af2 9672->9674 9675 c32b54 9672->9675 9679 c45860 lstrlen 9673->9679 9676 c25730 2 API calls 9674->9676 9677 c25730 2 API calls 9675->9677 9678 c32b08 9676->9678 9680 c32b71 9677->9680 10047 c2bba0 wvsprintfA 9678->10047 9682 c33437 SetFileAttributesA 9679->9682 10048 c2bba0 wvsprintfA 9680->10048 9690 c3346e 9682->9690 9683 c32b28 9685 c43840 2 API calls 9683->9685 9687 c32b3a 9685->9687 9686 c32bde 9688 c43840 2 API calls 9686->9688 9689 c32c60 9687->9689 9688->9687 9691 c32c7c CreateDirectoryA 9689->9691 9690->9304 9692 c32cd3 9691->9692 9693 c45860 lstrlen 9692->9693 9694 c32d51 CreateDirectoryA 9693->9694 9695 c25730 2 API calls 9694->9695 9696 c32d99 9695->9696 9697 c25730 2 API calls 9696->9697 9698 c32de9 9697->9698 9699 c43840 2 API calls 9698->9699 9700 c32dfd 9699->9700 9701 c2b980 9 API calls 9700->9701 9702 c32e13 9701->9702 9703 c43840 2 API calls 9702->9703 9704 c32e36 9703->9704 9705 c43060 5 API calls 9704->9705 9706 c32e8f 9705->9706 9707 c32e9a GetTempPathA 9706->9707 9729 c33327 9706->9729 10049 c240b0 lstrlen 9707->10049 9709 c32edc 9710 c45860 lstrlen 9709->9710 9711 c33052 CreateDirectoryA 9710->9711 9712 c25730 2 API calls 9711->9712 9713 c33097 9712->9713 9714 c25730 2 API calls 9713->9714 9715 c330fc 9714->9715 9716 c43840 2 API calls 9715->9716 9717 c33141 9716->9717 9718 c2b980 9 API calls 9717->9718 9719 c33171 9718->9719 9720 c43840 2 API calls 9719->9720 9721 c3319c 9720->9721 9722 c43060 5 API calls 9721->9722 9723 c331c9 9722->9723 9724 c331d4 GetTempPathA 9723->9724 9723->9729 9725 c33226 9724->9725 9726 c25730 2 API calls 9725->9726 9727 c332b1 9726->9727 9728 c43840 2 API calls 9727->9728 9728->9729 9729->9673 10085 c240b0 lstrlen 9730->10085 9732 c3bfcb 9732->9319 9733->9328 9734->9331 9735->9336 9736->9355 9738 c45860 lstrlen 9737->9738 9739 c27353 9738->9739 9740 c25730 2 API calls 9739->9740 9741 c27387 9740->9741 9742 c43840 2 API calls 9741->9742 9743 c2742f CreateFileA 9742->9743 9744 c2747b 9743->9744 9744->9345 10086 c2ad30 9745->10086 9747 c42798 ExitProcess 9749 c45879 9748->9749 9750 c25f60 lstrlen 9749->9750 9751 c458ab 9750->9751 9752 c3095c 9751->9752 10088 c240b0 lstrlen 9751->10088 9752->9341 9755 c3c270 CreateToolhelp32Snapshot 9754->9755 9757 c3c32c Process32First 9755->9757 9759 c3c4e5 9755->9759 9758 c3c4ca CloseHandle 9757->9758 9761 c3c387 9757->9761 9758->9759 9759->9367 9762 c3c441 Process32Next 9761->9762 9763 c3c4a2 9761->9763 10089 c32290 lstrlen CharLowerBuffA 9761->10089 9762->9761 9762->9763 9763->9758 9765 c2b1bb CreateFileA 9764->9765 9766 c2b1a9 9764->9766 9767 c2b1fe 9765->9767 9768 c2b21c GetFileTime 9765->9768 9766->9765 9767->9367 9769 c2b260 CloseHandle 9768->9769 9770 c2b284 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 9768->9770 9769->9367 9771 c2b2ec GetFileSize CloseHandle 9770->9771 9772 c2b34c 9771->9772 9772->9367 9774 c23df8 9773->9774 9775 c23e2d GetSystemTimeAsFileTime 9773->9775 9774->9775 9776 c23e79 __aulldiv 9775->9776 9776->9367 9778 c41f1c CreateToolhelp32Snapshot 9777->9778 9780 c41f7f 9778->9780 9781 c41fd4 Process32First 9780->9781 9783 c4228b 9780->9783 9782 c42255 CloseHandle 9781->9782 9788 c41ff4 9781->9788 9782->9783 9783->9389 9785 c421e9 Process32Next 9785->9782 9785->9788 9786 c42098 OpenProcess 9786->9788 9787 c4210a TerminateProcess 9787->9788 9789 c4217a CloseHandle 9787->9789 9788->9785 9788->9786 9788->9787 9788->9789 10090 c32290 lstrlen CharLowerBuffA 9788->10090 9789->9788 9791 c438d4 9790->9791 9792 c439b5 CreateProcessA 9791->9792 9793 c3119f 9792->9793 9794 c43a1a 9792->9794 9793->9412 9795 c43a26 9794->9795 9796 c43a3a CloseHandle CloseHandle 9794->9796 9795->9796 9796->9793 9798 c37f27 9797->9798 10091 c4a760 9798->10091 9800 c37f5b 9801 c438b0 3 API calls 9800->9801 9802 c37f73 9801->9802 9802->9360 9804 c260d3 9803->9804 9805 c263c4 9803->9805 10133 c240b0 lstrlen 9804->10133 9805->9368 9807 c26175 Sleep 9808 c261cd 9807->9808 9809 c25730 2 API calls 9808->9809 9810 c261ff 9809->9810 9811 c43840 2 API calls 9810->9811 9812 c2622a FindFirstFileA 9811->9812 9812->9805 9814 c2628f 9812->9814 9815 c2631e DeleteFileA 9814->9815 9816 c26379 FindNextFileA 9814->9816 9815->9814 9816->9814 9817 c26392 FindClose 9816->9817 9817->9805 9818->9379 9820 c4cc70 9819->9820 9821 c26460 2 API calls 9820->9821 9823 c4ccd6 9821->9823 9822 c4cd3a GetComputerNameA 9824 c4ce1e 9822->9824 9825 c4cd55 9822->9825 9823->9822 9826 c25730 2 API calls 9824->9826 9827 c25730 2 API calls 9825->9827 9828 c4cefb 9826->9828 9829 c4cd6b 9827->9829 9830 c43840 2 API calls 9828->9830 9831 c43840 2 API calls 9829->9831 9832 c4cf70 9830->9832 9831->9824 9833 c2b980 9 API calls 9832->9833 9834 c4cf8c 9833->9834 10134 c24460 9834->10134 9836 c4cfaa 10137 c4db50 9836->10137 9838 c4d075 10173 c240b0 lstrlen 9838->10173 9840 c4d094 10174 c44a90 9840->10174 9844 c4d101 9845 c24460 8 API calls 9844->9845 9846 c4d132 9845->9846 9847 c44a90 9 API calls 9846->9847 9848 c4d16a 9847->9848 9849 c45810 8 API calls 9848->9849 9850 c4d179 9849->9850 9851 c24460 8 API calls 9850->9851 9852 c4d1d2 9851->9852 9853 c44a90 9 API calls 9852->9853 9854 c4d1f7 9853->9854 9855 c45810 8 API calls 9854->9855 9856 c4d206 9855->9856 9857 c24460 8 API calls 9856->9857 9858 c4d22d 9857->9858 9859 c44a90 9 API calls 9858->9859 9860 c4d26f 9859->9860 9861 c45810 8 API calls 9860->9861 9862 c4d27b 9861->9862 9863 c24460 8 API calls 9862->9863 9864 c4d297 9863->9864 9865 c44a90 9 API calls 9864->9865 9866 c4d2dc 9865->9866 9867 c45810 8 API calls 9866->9867 9868 c4d2eb 9867->9868 9869 c24460 8 API calls 9868->9869 9870 c4d30a 9869->9870 9871 c25730 2 API calls 9870->9871 9872 c4d32a 9871->9872 9873 c44a90 9 API calls 9872->9873 9874 c4d345 9873->9874 9875 c45810 8 API calls 9874->9875 9876 c4d354 9875->9876 9877 c43840 2 API calls 9876->9877 9878 c4d381 9877->9878 9879 c24460 8 API calls 9878->9879 9880 c4d3a2 9879->9880 9881 c44a90 9 API calls 9880->9881 9882 c4d3cf 9881->9882 9883 c45810 8 API calls 9882->9883 9884 c4d3db 9883->9884 9885 c24460 8 API calls 9884->9885 9886 c4d3fd 9885->9886 9887 c44a90 9 API calls 9886->9887 9888 c4d42a 9887->9888 9889 c45810 8 API calls 9888->9889 9890 c4d439 9889->9890 9891 c24460 8 API calls 9890->9891 9892 c4d46e 9891->9892 10181 c44c30 9892->10181 9896 c4d4e7 9897 c44a90 9 API calls 9896->9897 9898 c4d4f3 9897->9898 9899 c45810 8 API calls 9898->9899 9900 c4d502 9899->9900 9901 c24460 8 API calls 9900->9901 9902 c4d523 9901->9902 9903 c44a90 9 API calls 9902->9903 9904 c4d56f 9903->9904 9905 c45810 8 API calls 9904->9905 9906 c4d57e 9905->9906 10191 c48ba0 9906->10191 9908 c4d5c0 10217 c26660 9908->10217 9910 c4d5dd 10220 c21890 9910->10220 9912 c4d622 10224 c23a00 9912->10224 9914 c4d666 9914->9351 9916 c25fb1 9915->9916 10278 c240b0 lstrlen 9916->10278 9918 c25fce 9918->9372 9920 c26590 WaitForSingleObject 9919->9920 9921 c3d07c 9920->9921 9922 c42780 ExitProcess 9921->9922 9923 c3d0b9 9922->9923 9925 c42500 9924->9925 9926 c45860 lstrlen 9925->9926 9927 c42589 9926->9927 9928 c25730 2 API calls 9927->9928 9929 c4259a 9927->9929 9930 c4260b 9928->9930 9929->9399 9931 c43840 2 API calls 9930->9931 9932 c42665 9931->9932 10279 c4e880 9932->10279 9934 c4268c 9934->9399 9936 c23dc0 GetSystemTimeAsFileTime 9935->9936 9937 c33f0c 9936->9937 9938 c33feb 9937->9938 9939 c23dc0 GetSystemTimeAsFileTime 9937->9939 9938->9393 9940 c33f61 9939->9940 9940->9938 9941 c33fbd Sleep 9940->9941 9942 c23dc0 GetSystemTimeAsFileTime 9941->9942 9942->9940 9944 c38243 OpenSCManagerA 9943->9944 9945 c38218 9943->9945 9946 c38293 CreateServiceA 9944->9946 9952 c384af 9944->9952 9945->9944 9947 c382e0 ChangeServiceConfig2A StartServiceA CloseServiceHandle 9946->9947 9949 c3835b OpenServiceA 9946->9949 9955 c3841f CloseServiceHandle 9947->9955 9951 c383a5 StartServiceA 9949->9951 9949->9955 9953 c38407 CloseServiceHandle 9951->9953 9954 c383ef 9951->9954 9952->9419 9953->9955 9954->9953 9955->9952 9957 c37163 9956->9957 9958 c25730 2 API calls 9957->9958 9959 c371fd RegOpenKeyA 9958->9959 9960 c3723a 9959->9960 9961 c43840 2 API calls 9960->9961 9963 c37263 9961->9963 9962 c372f0 RegCloseKey 9964 c3731c 9962->9964 9963->9962 10296 c240b0 lstrlen 9963->10296 9964->9429 9966 c372cc RegSetValueExA 9966->9962 9968 c265cc 9967->9968 9968->9424 9970 c435ef 9969->9970 9971 c4371c CreateFileA 9970->9971 9972 c4376a 9971->9972 9973 c4377b 9971->9973 9972->9449 9974 c26460 2 API calls 9973->9974 9975 c437ac 9974->9975 9975->9449 9977 c4c097 9976->9977 9978 c4c13a 9977->9978 9980 c47040 8 API calls 9977->9980 9979 c25730 2 API calls 9978->9979 9981 c4c16b 9979->9981 9980->9978 9982 c435c0 3 API calls 9981->9982 9983 c4c181 9982->9983 9984 c43840 2 API calls 9983->9984 9985 c4c195 9984->9985 9986 c4c261 9985->9986 9987 c4c1aa Sleep 9985->9987 9988 c31f93 9986->9988 10297 c25230 9986->10297 9989 c25730 2 API calls 9987->9989 9988->9454 9991 c4c1e5 9989->9991 9994 c435c0 3 API calls 9991->9994 9992 c4c2c1 10301 c4e790 CloseHandle 9992->10301 9995 c4c245 9994->9995 9996 c43840 2 API calls 9995->9996 9996->9986 9997->9459 9998->9468 10000 c36f43 GetProcessHeap RtlAllocateHeap 9999->10000 10001 c36f14 9999->10001 10000->9617 10001->10000 10003 c4c652 AllocateAndInitializeSid 10002->10003 10005 c4c724 CheckTokenMembership 10003->10005 10006 c32591 10003->10006 10007 c4c741 10005->10007 10008 c4c77a FreeSid 10005->10008 10009 c3d0d0 10006->10009 10007->10008 10008->10006 10010 c3d0f1 10009->10010 10011 c25730 2 API calls 10010->10011 10012 c3d179 GetProcAddress 10011->10012 10013 c43840 2 API calls 10012->10013 10016 c3d1c9 10013->10016 10014 c325b3 10014->9637 10017 c38090 GetWindowsDirectoryA 10014->10017 10015 c3d26b GetCurrentProcess 10015->10014 10016->10014 10016->10015 10018 c380d8 10017->10018 10019 c3818b 10018->10019 10020 c25730 2 API calls 10018->10020 10019->9644 10021 c38133 10020->10021 10022 c43840 2 API calls 10021->10022 10023 c3816b 10022->10023 10050 c240b0 lstrlen 10023->10050 10051 c3cbc0 10025->10051 10029 c4306d 10028->10029 10030 c26590 WaitForSingleObject 10029->10030 10031 c4318d 10030->10031 10032 c43205 10031->10032 10033 c43253 CreateFileA 10031->10033 10083 c25070 ReleaseMutex 10032->10083 10035 c4329c 10033->10035 10036 c432b4 10035->10036 10040 c43311 10035->10040 10038 c25070 ReleaseMutex 10036->10038 10039 c432d3 10038->10039 10039->9652 10041 c4341f WriteFile 10040->10041 10041->10040 10042 c43493 CloseHandle 10041->10042 10044 c4350c 10042->10044 10045 c25070 ReleaseMutex 10044->10045 10046 c43532 10045->10046 10046->9652 10047->9683 10048->9686 10049->9709 10050->10019 10052 c3cbe0 10051->10052 10057 c240b0 lstrlen 10052->10057 10054 c3cc38 10058 c33500 10054->10058 10056 c2b999 10056->9645 10057->10054 10059 c33535 10058->10059 10062 c36fe0 10059->10062 10061 c33553 10061->10056 10063 c36ffe 10062->10063 10064 c3701e 10063->10064 10067 c3cb30 10063->10067 10064->10061 10066 c37053 10066->10061 10069 c3cb4d 10067->10069 10068 c3cb74 10068->10066 10069->10068 10071 c50850 10069->10071 10073 c50863 10071->10073 10072 c50a76 10080 c4fad0 10072->10080 10073->10072 10074 c50976 10073->10074 10079 c50a4e 10073->10079 10076 c36f00 2 API calls 10074->10076 10077 c50994 10076->10077 10078 c3c520 2 API calls 10077->10078 10078->10079 10079->10068 10081 c4fae4 GetProcessHeap RtlReAllocateHeap 10080->10081 10082 c4fb06 GetProcessHeap HeapAlloc 10080->10082 10081->10079 10082->10079 10084 c250a2 10083->10084 10084->9652 10085->9732 10087 c2ad43 10086->10087 10087->9747 10088->9752 10089->9761 10090->9788 10119 c42300 10091->10119 10094 c4a81d ReadFile 10097 c4a884 CloseHandle 10094->10097 10098 c4a85f 10094->10098 10095 c4aafe 10095->9800 10123 c43570 10097->10123 10098->10097 10100 c4a8ab GetTickCount 10125 c4c870 10100->10125 10102 c4a8c5 10129 c240b0 lstrlen 10102->10129 10104 c4a8d5 10105 c25730 2 API calls 10104->10105 10106 c4a964 10105->10106 10107 c43840 2 API calls 10106->10107 10108 c4a994 10107->10108 10109 c4aa30 CreateFileA 10108->10109 10111 c25730 2 API calls 10108->10111 10109->10095 10112 c4aaaf WriteFile CloseHandle 10109->10112 10113 c4a9c8 10111->10113 10112->10095 10130 c240b0 lstrlen 10113->10130 10115 c4aa0b 10131 c2bba0 wvsprintfA 10115->10131 10117 c4aa16 10118 c43840 2 API calls 10117->10118 10118->10109 10120 c50bf0 10119->10120 10121 c36f00 2 API calls 10120->10121 10122 c4a7c2 CreateFileA 10121->10122 10122->10094 10122->10095 10124 c43593 10123->10124 10124->10100 10126 c4c884 10125->10126 10132 c240b0 lstrlen 10126->10132 10128 c4c8c2 10128->10102 10129->10104 10130->10115 10131->10117 10132->10128 10133->9807 10135 c21890 8 API calls 10134->10135 10136 c2447b 10135->10136 10136->9836 10138 c4dbe3 10137->10138 10139 c25730 2 API calls 10138->10139 10140 c4dc8b 10139->10140 10141 c43840 2 API calls 10140->10141 10142 c4dcbc GetProcessHeap 10141->10142 10144 c4dd41 10142->10144 10145 c4dd5f 10142->10145 10144->9838 10146 c25730 2 API calls 10145->10146 10147 c4dd86 LoadLibraryA 10146->10147 10149 c43840 2 API calls 10147->10149 10150 c4ddd8 10149->10150 10151 c4dde9 10150->10151 10152 c25730 2 API calls 10150->10152 10151->9838 10153 c4de42 GetProcAddress 10152->10153 10154 c4de75 10153->10154 10155 c43840 2 API calls 10154->10155 10156 c4de87 10155->10156 10157 c4ded7 HeapAlloc 10156->10157 10158 c4deab FreeLibrary 10156->10158 10159 c4df52 10157->10159 10160 c4df2b FreeLibrary 10157->10160 10158->9838 10161 c4e06a 10159->10161 10162 c4dfa6 HeapFree HeapAlloc 10159->10162 10160->9838 10164 c25730 2 API calls 10161->10164 10172 c4e294 10161->10172 10162->10161 10163 c4e027 FreeLibrary 10162->10163 10163->9838 10166 c4e0c0 10164->10166 10165 c4e637 HeapFree FreeLibrary 10165->9838 10167 c43840 2 API calls 10166->10167 10168 c4e0e8 10167->10168 10169 c25730 2 API calls 10168->10169 10168->10172 10170 c4e2e0 10169->10170 10171 c43840 2 API calls 10170->10171 10171->10172 10172->10165 10173->9840 10231 c275a0 10174->10231 10177 c45810 10178 c45830 10177->10178 10179 c21890 8 API calls 10178->10179 10180 c4583e 10179->10180 10180->9844 10182 c44c55 10181->10182 10183 c25730 2 API calls 10182->10183 10184 c44cb8 10183->10184 10185 c43840 2 API calls 10184->10185 10186 c44ce3 10185->10186 10187 c3ccf0 10186->10187 10188 c3cd1f 10187->10188 10238 c240b0 lstrlen 10188->10238 10190 c3cd6e 10190->9896 10192 c25730 2 API calls 10191->10192 10193 c48c2e 10192->10193 10194 c25730 2 API calls 10193->10194 10195 c48c48 10194->10195 10196 c25730 2 API calls 10195->10196 10197 c48ca0 10196->10197 10198 c43840 2 API calls 10197->10198 10199 c48cc2 10198->10199 10200 c25730 2 API calls 10199->10200 10201 c48cfe 10200->10201 10202 c43840 2 API calls 10201->10202 10203 c48d7f 10202->10203 10204 c43840 2 API calls 10203->10204 10210 c48dba 10204->10210 10205 c4969c 10206 c43840 2 API calls 10205->10206 10208 c49705 10206->10208 10208->9908 10209 c438a0 9 API calls 10209->10210 10210->10209 10216 c491c9 10210->10216 10239 c25f40 10210->10239 10211 c25f40 8 API calls 10211->10216 10212 c25f40 8 API calls 10214 c495b0 10212->10214 10214->10205 10214->10212 10242 c438a0 10214->10242 10215 c438a0 9 API calls 10215->10216 10216->10205 10216->10211 10216->10214 10216->10215 10218 c36fe0 8 API calls 10217->10218 10219 c26667 10218->10219 10219->9910 10221 c218b6 10220->10221 10222 c36fe0 8 API calls 10221->10222 10223 c218c1 10222->10223 10223->9912 10253 c37330 10224->10253 10226 c23a17 10227 c42300 2 API calls 10226->10227 10228 c23a58 10227->10228 10229 c21890 8 API calls 10228->10229 10230 c23af6 10228->10230 10229->10230 10230->9914 10232 c275ac 10231->10232 10237 c240b0 lstrlen 10232->10237 10234 c275f8 10235 c33500 8 API calls 10234->10235 10236 c27604 10235->10236 10236->10177 10237->10234 10238->10190 10248 c4f640 10239->10248 10241 c25f4e 10241->10210 10243 c4c550 10242->10243 10252 c240b0 lstrlen 10243->10252 10245 c4c5e0 10246 c21890 8 API calls 10245->10246 10247 c4c5ec 10246->10247 10247->10214 10249 c4f672 10248->10249 10250 c36fe0 8 API calls 10249->10250 10251 c4f67d 10250->10251 10251->10241 10252->10245 10258 c22cc0 10253->10258 10255 c373ac 10255->10226 10257 c37342 10257->10255 10262 c47040 10257->10262 10259 c22d1d 10258->10259 10260 c22cd3 10258->10260 10259->10257 10261 c26660 8 API calls 10260->10261 10261->10259 10263 c4708f 10262->10263 10264 c26590 WaitForSingleObject 10263->10264 10265 c471b9 10264->10265 10266 c25730 2 API calls 10265->10266 10277 c472af 10265->10277 10267 c471ea GetProcAddress 10266->10267 10270 c25730 2 API calls 10267->10270 10269 c25070 ReleaseMutex 10271 c47485 10269->10271 10272 c47246 10270->10272 10271->10257 10273 c43840 2 API calls 10272->10273 10274 c47260 GetProcAddress 10273->10274 10275 c4728b 10274->10275 10276 c43840 2 API calls 10275->10276 10276->10277 10277->10269 10278->9918 10280 c4e88d 10279->10280 10281 c26660 8 API calls 10280->10281 10282 c4e91b 10281->10282 10283 c26590 WaitForSingleObject 10282->10283 10284 c4e940 CreateFileA 10283->10284 10285 c4e97c 10284->10285 10290 c4e996 10284->10290 10287 c25070 ReleaseMutex 10285->10287 10286 c4e9b0 ReadFile 10286->10290 10288 c4eb8f 10287->10288 10288->9934 10289 c50850 8 API calls 10289->10290 10290->10286 10290->10289 10291 c4eb56 CloseHandle 10290->10291 10292 c21890 8 API calls 10290->10292 10293 c4eac6 CloseHandle 10290->10293 10291->10285 10292->10290 10294 c25070 ReleaseMutex 10293->10294 10295 c4eaf9 10294->10295 10295->9934 10296->9966 10298 c25251 10297->10298 10299 c25297 10298->10299 10300 c2534e WriteFile 10298->10300 10299->9992 10300->9992 10302 c4e7bf 10301->10302 10305 c21fc0 10302->10305 10306 c25f20 10305->10306 10307 c25f30 10306->10307 10308 c3c520 2 API calls 10306->10308 10307->9988 10308->10307 10309->9510 10310->9513 10311->9515 10312->9527 10313->9542 10314->9598 10315->9607 11025 c403b9 11026 c403c0 11025->11026 11120 c240b0 lstrlen 11026->11120 11028 c404d8 11121 c240b0 lstrlen 11028->11121 11030 c404e6 11031 c25730 2 API calls 11030->11031 11091 c40b61 11030->11091 11032 c405a8 11031->11032 11033 c2b980 9 API calls 11032->11033 11034 c405c0 11033->11034 11035 c43840 2 API calls 11034->11035 11036 c405d2 11035->11036 11037 c40779 11036->11037 11039 c25730 2 API calls 11036->11039 11038 c44a90 9 API calls 11037->11038 11040 c407b9 11038->11040 11041 c40637 11039->11041 11042 c45810 8 API calls 11040->11042 11043 c275a0 9 API calls 11041->11043 11044 c407c5 11042->11044 11047 c40669 11043->11047 11045 c25730 2 API calls 11044->11045 11046 c407e6 11045->11046 11048 c44a90 9 API calls 11046->11048 11051 c43840 2 API calls 11047->11051 11049 c40810 11048->11049 11050 c45810 8 API calls 11049->11050 11052 c4081c 11050->11052 11054 c406aa 11051->11054 11053 c43840 2 API calls 11052->11053 11055 c4084e 11053->11055 11054->11037 11056 c46b70 8 API calls 11054->11056 11057 c44a90 9 API calls 11055->11057 11058 c40712 11056->11058 11059 c4086d 11057->11059 11060 c25730 2 API calls 11058->11060 11061 c45810 8 API calls 11059->11061 11062 c4074f 11060->11062 11065 c4087c 11061->11065 11063 c2b980 9 API calls 11062->11063 11064 c40767 11063->11064 11066 c43840 2 API calls 11064->11066 11070 c25730 2 API calls 11065->11070 11104 c40a19 11065->11104 11066->11037 11067 c25730 2 API calls 11068 c40a59 11067->11068 11069 c44a90 9 API calls 11068->11069 11071 c40a77 11069->11071 11072 c408e7 11070->11072 11073 c45810 8 API calls 11071->11073 11074 c44a90 9 API calls 11072->11074 11078 c40a83 11073->11078 11075 c40902 11074->11075 11076 c45810 8 API calls 11075->11076 11077 c40911 11076->11077 11080 c25730 2 API calls 11077->11080 11079 c43840 2 API calls 11078->11079 11081 c40acb 11079->11081 11082 c40932 11080->11082 11083 c40b1c socket 11081->11083 11085 c45810 8 API calls 11081->11085 11084 c43840 2 API calls 11082->11084 11083->11091 11092 c40bb0 11083->11092 11086 c40993 11084->11086 11085->11083 11122 c2bba0 wvsprintfA 11086->11122 11087 c40c70 gethostbyname 11088 c40c99 inet_ntoa inet_addr htons connect 11087->11088 11087->11091 11094 c40d44 11088->11094 11099 c40d6d 11088->11099 11092->11087 11093 c40c45 setsockopt 11092->11093 11093->11087 11095 c409d1 11096 c43840 2 API calls 11095->11096 11097 c409e3 11096->11097 11098 c44a90 9 API calls 11097->11098 11100 c40a0a 11098->11100 11101 c40d93 send 11099->11101 11102 c45810 8 API calls 11100->11102 11103 c40daf 11101->11103 11102->11104 11105 c40db3 11103->11105 11106 c26660 8 API calls 11103->11106 11104->11067 11113 c40deb 11106->11113 11107 c40e5b recv 11108 c41275 closesocket 11107->11108 11107->11113 11108->11091 11110 c412ae 11108->11110 11109 c22bb0 GetSystemTimeAsFileTime 11109->11113 11111 c46b70 8 API calls 11110->11111 11111->11091 11112 c50850 8 API calls 11112->11113 11113->11107 11113->11108 11113->11109 11113->11112 11114 c21890 8 API calls 11113->11114 11115 c41265 11113->11115 11116 c43840 GetProcessHeap RtlFreeHeap 11113->11116 11117 c476d0 9 API calls 11113->11117 11118 c25730 GetProcessHeap RtlAllocateHeap 11113->11118 11119 c275a0 9 API calls 11113->11119 11114->11113 11115->11108 11116->11113 11117->11113 11118->11113 11119->11113 11120->11028 11121->11030 11122->11095 11556 c4e139 11557 c4e140 11556->11557 11559 c25730 2 API calls 11557->11559 11562 c4e294 11557->11562 11558 c4e637 HeapFree FreeLibrary 11560 c4e2e0 11559->11560 11561 c43840 2 API calls 11560->11561 11561->11562 11562->11558

                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                              Function 00C300C1 Relevance: 56.1, APIs: 29, Strings: 2, Instructions: 1866sleepfilesynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 00C303F9
                                                                                                                                                                                                              • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00C30427
                                                                                                                                                                                                              • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00C3046A
                                                                                                                                                                                                              • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00C30496
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00C30587
                                                                                                                                                                                                              • GetCommandLineA.KERNEL32 ref: 00C3063E
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 00C30CDF
                                                                                                                                                                                                                • Part of subcall function 00C2B150: CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00C2B1D7
                                                                                                                                                                                                              • Sleep.KERNEL32(00000D05), ref: 00C30BD2
                                                                                                                                                                                                                • Part of subcall function 00C2B150: GetFileTime.KERNEL32(00000000,?,?,?), ref: 00C2B256
                                                                                                                                                                                                                • Part of subcall function 00C2B150: CloseHandle.KERNEL32(00000000), ref: 00C2B26B
                                                                                                                                                                                                              • Sleep.KERNEL32(000007D0), ref: 00C30DD1
                                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00C30EA8
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00C30ECC
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000000), ref: 00C30EFE
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000002), ref: 00C310B9
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00C310E7
                                                                                                                                                                                                              • GetCommandLineA.KERNEL32(00000000), ref: 00C3120E
                                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 00C3132B
                                                                                                                                                                                                                • Part of subcall function 00C32290: lstrlen.KERNEL32(?), ref: 00C322A2
                                                                                                                                                                                                                • Part of subcall function 00C32290: CharLowerBuffA.USER32(?,00000000), ref: 00C322BE
                                                                                                                                                                                                              • MessageBoxA.USER32(00000000,00000004,00000005,00000000), ref: 00C31663
                                                                                                                                                                                                                • Part of subcall function 00C272E0: CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00C27452
                                                                                                                                                                                                              • CloseHandle.KERNEL32(FFFFFFFF), ref: 00C31AC5
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00C31AE1
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000000), ref: 00C31B07
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000002), ref: 00C31B43
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 00C31CAC
                                                                                                                                                                                                              • WSAStartup.WS2_32(00000202,?), ref: 00C31947
                                                                                                                                                                                                                • Part of subcall function 00C42780: ExitProcess.KERNEL32 ref: 00C427B0
                                                                                                                                                                                                              • Sleep.KERNEL32(000007D0), ref: 00C31DFC
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(00C66680,00000080), ref: 00C31E27
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,00C66680,00000000), ref: 00C31E45
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(00C66680,00000002), ref: 00C31E7B
                                                                                                                                                                                                                • Part of subcall function 00C4C080: Sleep.KERNEL32(000003E8), ref: 00C4C1C3
                                                                                                                                                                                                                • Part of subcall function 00C2BBA0: wvsprintfA.USER32(00000000,?,00C409D1), ref: 00C2BBEB
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0002FE10,00000000,00000000,00000000), ref: 00C32194
                                                                                                                                                                                                              • Sleep.KERNEL32(0000C350), ref: 00C32210
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$AttributesSleep$Create$CopyMutex$CloseCommandHandleLineModuleName$BuffCharCountEnvironmentExitLowerMessageProcessStartupThreadTickTimeVariablelstrlenwvsprintf
                                                                                                                                                                                                              • String ID: C:\Users\user$x7;C
                                                                                                                                                                                                              • API String ID: 1500488346-3147083300
                                                                                                                                                                                                              • Opcode ID: c9dd9cd269a22500438e56c139347f0ef2bdb2caa18119d7809544cfade5fea9
                                                                                                                                                                                                              • Instruction ID: 077a0fb35463b659fe0fb9efd544b7dc238cb0e9adabdb7f67757dfceb2c390e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c9dd9cd269a22500438e56c139347f0ef2bdb2caa18119d7809544cfade5fea9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CC03D279A103009FD728DF66ED92B6E37F5F754302F14812AE802E72B1EBB49981DB51
                                                                                                                                                                                                              Function 00C32490 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 918fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 438 c32490-c324da call c4ee20 441 c324e6-c324f9 438->441 442 c324dc 438->442 443 c32505-c325ca GetVersionExA call c4c640 call c3d0d0 441->443 444 c324fb 441->444 442->441 449 c325d0-c325e0 443->449 450 c32758-c3277f 443->450 444->443 451 c325e2-c325fb 449->451 452 c32616 449->452 453 c32789-c327c9 call c25730 call c2b980 450->453 454 c3260a-c32614 451->454 455 c325fd-c32608 451->455 456 c32620-c32640 call c38090 452->456 467 c327e3-c3281d call c43840 call c4e820 call c47610 call c43060 453->467 468 c327cb-c327db 453->468 454->456 455->456 462 c32642-c3264f 456->462 463 c32656-c326a8 456->463 462->463 465 c326b4-c3270c call c450d0 CreateDirectoryA call c25730 463->465 466 c326aa 463->466 476 c32711-c32756 call c450d0 call c43840 465->476 466->465 486 c32823-c328b7 DeleteFileA RemoveDirectoryA 467->486 487 c328bc-c3297f call c38090 call c450d0 CreateDirectoryA call c4f8f0 467->487 468->467 469 c327dd 468->469 469->467 476->453 486->487 494 c32981-c329a5 487->494 495 c329ab-c32ad9 call c45860 CreateDirectoryA call c25730 call c450d0 call c25730 call c43840 call c2b980 call c43840 call c4e820 call c47610 call c43060 487->495 494->495 516 c33405-c3340a 495->516 517 c32adf-c32af0 495->517 520 c3340d-c3341f 516->520 518 c32af2-c32b4f call c25730 call c2bba0 call c43840 517->518 519 c32b54-c32b99 call c25730 517->519 547 c32c24-c32c5e 518->547 530 c32b9b-c32ba8 519->530 531 c32baa-c32bc6 519->531 522 c33421 520->522 523 c3342b-c3346c call c45860 SetFileAttributesA 520->523 522->523 534 c334b3-c334de call c49e60 523->534 535 c3346e-c3347d 523->535 532 c32bcc-c32c1e call c2bba0 call c43840 530->532 531->532 532->547 545 c334e0 534->545 546 c334ea-c334f5 call c50840 534->546 536 c33496-c334ad 535->536 537 c3347f-c33494 535->537 536->534 537->534 545->546 550 c32c60 547->550 551 c32c6a-c32cfe call c450d0 CreateDirectoryA call c4f8f0 547->551 550->551 557 c32d00-c32d16 551->557 558 c32d24-c32d3e 551->558 559 c32d45-c32e4e call c45860 CreateDirectoryA call c25730 call c450d0 call c25730 call c43840 call c2b980 call c43840 557->559 560 c32d18-c32d22 557->560 558->559 575 c32e50-c32e68 559->575 576 c32e6f-c32e94 call c4e820 call c47610 call c43060 559->576 560->559 575->576 583 c32e9a-c32f08 GetTempPathA call c240b0 576->583 584 c333ee 576->584 588 c33000-c33015 583->588 589 c32f0e 583->589 586 c333f1-c33403 584->586 586->520 590 c33017-c33024 588->590 591 c3302b-c330bb call c4f8f0 call c45860 CreateDirectoryA call c25730 588->591 592 c32f13-c32f2a 589->592 590->591 610 c330cd-c3312d call c450d0 call c25730 591->610 611 c330bd-c330c8 591->611 594 c32f41-c32f49 592->594 595 c32f2c-c32f3b 592->595 597 c32f80-c32fca 594->597 598 c32f4b-c32f5b 594->598 595->594 599 c32ff6 597->599 600 c32fcc-c32fe8 597->600 602 c32f75-c32f79 598->602 603 c32f5d-c32f6d 598->603 599->588 600->599 606 c32fea-c32ff0 600->606 602->592 605 c32f7b 602->605 603->602 604 c32f6f 603->604 604->602 605->588 606->599 616 c33139-c331ce call c43840 call c2b980 call c43840 call c4e820 call c47610 call c43060 610->616 617 c3312f 610->617 611->610 630 c333c7-c333ec 616->630 631 c331d4-c3324d GetTempPathA call c4f8f0 616->631 617->616 630->586 634 c332a5-c332d2 call c25730 631->634 635 c3324f-c33289 631->635 639 c332d4-c332e7 634->639 640 c332ee-c33352 call c450d0 call c43840 634->640 635->634 636 c3328b-c3329e 635->636 636->634 639->640 645 c333a3-c333c0 640->645 646 c33354-c3337f 640->646 645->630 647 c33381-c33395 646->647 648 c33397-c333a1 646->648 647->630 648->630
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetVersionExA.KERNEL32(00C6EAC8), ref: 00C32572
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00C326EF
                                                                                                                                                                                                              • DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00C32843
                                                                                                                                                                                                              • RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00C3289F
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00C3293F
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C329E1
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00C32CAC
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00C32D6E
                                                                                                                                                                                                              • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00C32EB0
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00C3307B
                                                                                                                                                                                                              • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00C331FA
                                                                                                                                                                                                              • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 00C3344D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                              • String ID: C:\Users\user$C:\daxjjwrfm\$Wq0O$\
                                                                                                                                                                                                              • API String ID: 1691758827-149769076
                                                                                                                                                                                                              • Opcode ID: 2d8f9dbe48c0a40ad6fc861f317515e55154273908a4fecd6897857f21812fe1
                                                                                                                                                                                                              • Instruction ID: 317744578c7124649babfebf0156ee9f210039166b148b18708adbd75975f653
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2d8f9dbe48c0a40ad6fc861f317515e55154273908a4fecd6897857f21812fe1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 91820579910305CBC728DF66EC927BE37B5FB54312F00812AE502E72B1EBB49A85DB51
                                                                                                                                                                                                              Function 00C43060 Relevance: 4.8, APIs: 3, Instructions: 287fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 649 c43060-c43093 call c3cb00 652 c43095 649->652 653 c4309f-c430b9 649->653 652->653 654 c430ee-c4311f 653->654 655 c430bb-c430cd 653->655 657 c43144-c4315f 654->657 658 c43121-c4312d 654->658 655->654 656 c430cf-c430e8 655->656 656->654 659 c43161-c4317b 657->659 660 c43182-c431af call c26590 657->660 661 c43136-c4313d 658->661 662 c4312f-c43134 658->662 659->660 665 c431b1-c431bb 660->665 666 c431bd-c431d9 660->666 661->657 662->657 667 c431fb-c43203 665->667 666->667 668 c431db-c431f5 666->668 669 c43205-c4323f call c25070 667->669 670 c43253-c4329a CreateFileA 667->670 668->667 679 c43241 669->679 680 c4324b-c43252 669->680 672 c432b0-c432b2 670->672 673 c4329c-c432a9 670->673 674 c432b4-c432f4 call c25070 672->674 675 c43311-c4333f 672->675 673->672 684 c432f6-c43303 674->684 685 c43309-c43310 674->685 678 c43340-c43350 675->678 682 c43352-c43381 678->682 683 c43383-c43394 678->683 679->680 686 c4339e-c433b9 682->686 683->686 684->685 687 c433c5-c433f7 call c41a30 686->687 688 c433bb 686->688 691 c4340d-c4348d call c2aed0 WriteFile 687->691 692 c433f9-c43406 687->692 688->687 691->678 695 c43493-c434be 691->695 692->691 696 c434c0-c434ca 695->696 697 c434cc 695->697 698 c434d6-c4350a CloseHandle 696->698 697->698 699 c43527-c43546 call c25070 698->699 700 c4350c-c43521 698->700 700->699
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00C4327A
                                                                                                                                                                                                              • WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 00C4344B
                                                                                                                                                                                                              • CloseHandle.KERNELBASE(?), ref: 00C434DA
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1065093856-0
                                                                                                                                                                                                              • Opcode ID: 4fe8bcb534688b22f888f01159fbfc3967ed2a6549b050bdc728cc6452d8afc3
                                                                                                                                                                                                              • Instruction ID: ded5e631bd5c2a1e5aa089fb3dc7cb30ecacb789a2c95bf1a3c18118f074a48d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4fe8bcb534688b22f888f01159fbfc3967ed2a6549b050bdc728cc6452d8afc3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E6C1D079A10750DBC724CF6AFC9176E33F5F794326B10811AE802DB2B5E7B49A82DB40
                                                                                                                                                                                                              Function 00C4C640 Relevance: 4.6, APIs: 3, Instructions: 120memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 703 c4c640-c4c650 704 c4c664-c4c6b9 703->704 705 c4c652-c4c65e 703->705 706 c4c6ea-c4c71e AllocateAndInitializeSid 704->706 707 c4c6bb-c4c6d7 704->707 705->704 710 c4c724-c4c73f CheckTokenMembership 706->710 711 c4c7f1-c4c819 706->711 708 c4c6e0 707->708 709 c4c6d9-c4c6de 707->709 708->706 709->706 712 c4c741-c4c76e 710->712 713 c4c77a-c4c7ad FreeSid 710->713 712->713 714 c4c770 712->714 713->711 715 c4c7af-c4c7c3 713->715 714->713 716 c4c7c5-c4c7d7 715->716 717 c4c7d9-c4c7eb 715->717 716->711 717->711
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • AllocateAndInitializeSid.ADVAPI32(00C32591,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00C32591), ref: 00C4C701
                                                                                                                                                                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C4C737
                                                                                                                                                                                                              • FreeSid.ADVAPI32(?), ref: 00C4C798
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3429775523-0
                                                                                                                                                                                                              • Opcode ID: 181c7dbd49076b4492166b90e72d74321cb8e9fa808bf23bbce3ca0e1c99850c
                                                                                                                                                                                                              • Instruction ID: 98a5a68fe2e052a049d4e952aee6325c16b6f27a1d05ba9b1e95cf12741299ef
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 181c7dbd49076b4492166b90e72d74321cb8e9fa808bf23bbce3ca0e1c99850c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3F41BE39A05344DFC718CB69EDD6BAE7BB4FB58302B50815AE502E7271E770AA84CF05
                                                                                                                                                                                                              Function 00C36F00 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 718 c36f00-c36f12 719 c36f43-c36f67 GetProcessHeap RtlAllocateHeap 718->719 720 c36f14-c36f2e 718->720 720->719 721 c36f30-c36f3c 720->721 721->719
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,00C39195,021A1850,?,?,?,?,?,00C46DD6), ref: 00C36F59
                                                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,00C39195,021A1850,?,?,?,?,?,00C46DD6), ref: 00C36F60
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$AllocateProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1357844191-0
                                                                                                                                                                                                              • Opcode ID: 0deafb8502617fd8449614fa0650b960843ed2cb6a43d4df8ecc67a4914d79a6
                                                                                                                                                                                                              • Instruction ID: 5d23b4825fab11647d4e0c6cdd883ebf9c8c616eca6d6fc4ac8832c69a38b1f2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0deafb8502617fd8449614fa0650b960843ed2cb6a43d4df8ecc67a4914d79a6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BBF08235515B018BCB18DB65FD99B3937E9EB49642B044014F106975A0EAF5958087D8
                                                                                                                                                                                                              Function 00C3C520 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 722 c3c520-c3c52d 723 c3c543-c3c565 GetProcessHeap RtlFreeHeap 722->723 724 c3c52f-c3c53c 722->724 725 c3c567-c3c576 723->725 726 c3c57c-c3c57d 723->726 724->723 725->726
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00C50A4E,?,00C50A4E,00000000), ref: 00C3C549
                                                                                                                                                                                                              • RtlFreeHeap.NTDLL(00000000,?,00C50A4E,00000000), ref: 00C3C550
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$FreeProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3859560861-0
                                                                                                                                                                                                              • Opcode ID: 27951d0f6cf1741b5b201ccc392c817166c7cf3041cbea264b5803a264028383
                                                                                                                                                                                                              • Instruction ID: 168ec6773f563c978b70c78886940b25d7bc8ec178bb0fc3507444b0140daa40
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 27951d0f6cf1741b5b201ccc392c817166c7cf3041cbea264b5803a264028383
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BEF0E5758083048FDA24DF59EC9577D37F4EB04305F00040AE906E7260E7B4F880DB59
                                                                                                                                                                                                              Function 00C32290 Relevance: 3.0, APIs: 2, Instructions: 21stringCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 727 c32290-c322df lstrlen CharLowerBuffA
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 00C322A2
                                                                                                                                                                                                              • CharLowerBuffA.USER32(?,00000000), ref: 00C322BE
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 794975171-0
                                                                                                                                                                                                              • Opcode ID: 27d89a4eb37636c7007056e70656f6b72f6b92f636a8ae555f8aa19a005c3723
                                                                                                                                                                                                              • Instruction ID: 46e50e327289ac05d94bb40e86e8be2799c2658f43b559add032de1ec0e0bf6f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 27d89a4eb37636c7007056e70656f6b72f6b92f636a8ae555f8aa19a005c3723
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EDE0DF761146209BC3209F9AFC493FD37ECFA083063040256F549D31B0EBE458818390
                                                                                                                                                                                                              Function 00C272E0 Relevance: 1.7, APIs: 1, Instructions: 162fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 728 c272e0-c2739e call c45860 call c25730 733 c273a0-c273bc 728->733 734 c273ca-c273f0 call c450d0 728->734 733->734 735 c273be-c273c4 733->735 738 c273f2-c2740e 734->738 739 c27427-c27475 call c43840 CreateFileA 734->739 735->734 741 c27410-c2741b 738->741 742 c2741d 738->742 744 c2747b-c274e0 739->744 745 c274fd-c27507 739->745 741->739 742->739 746 c274e2-c274fb 744->746 747 c27548-c27590 call c49e60 744->747 748 c2752a-c27542 745->748 749 c27509-c27524 745->749 746->747 748->747 749->748
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00C27452
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFile
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 823142352-0
                                                                                                                                                                                                              • Opcode ID: ff9a6ce975d65d88b60ea674c874f2e84d0342880bcf0e7723c7f2ef4577adad
                                                                                                                                                                                                              • Instruction ID: 2469d65554ec55503c909d2f1715713bbe2cd3706913c335fc3fa83d53030910
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ff9a6ce975d65d88b60ea674c874f2e84d0342880bcf0e7723c7f2ef4577adad
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B751E47AA043108FD328DF2AFC9276D37B5F784712F14812AE502E76B1E7B49981CB55
                                                                                                                                                                                                              Function 00C46D32 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 752 c46d32-c46dd1 call c22ef0 call c220e0 call c45400 call c38660
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00C220E0: GetStdHandle.KERNEL32(000000F6,?,?,00C46D5F), ref: 00C22113
                                                                                                                                                                                                                • Part of subcall function 00C220E0: GetStdHandle.KERNEL32(000000F5,?,?,00C46D5F), ref: 00C22145
                                                                                                                                                                                                                • Part of subcall function 00C220E0: GetStdHandle.KERNEL32(000000F4,?,?,00C46D5F), ref: 00C22198
                                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 00C46E44
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Handle$ExitProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 256993070-0
                                                                                                                                                                                                              • Opcode ID: 12962d104f23e1470c23c905f82df49c1f7e053d2a1ef9cea772e9cf7e4a913f
                                                                                                                                                                                                              • Instruction ID: 026dffe97dfa0d94c362bca78d592a41f6cc1e8fc17d6393dd601a70a9827d72
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 12962d104f23e1470c23c905f82df49c1f7e053d2a1ef9cea772e9cf7e4a913f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D721DB3AA1161087C728DF75FC9237D37A2E7547223048526EC0187B79FBB58985D742
                                                                                                                                                                                                              Function 00C42780 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 762 c42780-c427b0 call c2ad30 ExitProcess
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ExitProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 621844428-0
                                                                                                                                                                                                              • Opcode ID: 48b76c3e454a27478c75f43981c4ea385e2e3bb583a35ec5af57f202f6d06b30
                                                                                                                                                                                                              • Instruction ID: a54b1770b196b70304880f9f6c5da608009657fd9c0749f22eadca36b5ee3b73
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 48b76c3e454a27478c75f43981c4ea385e2e3bb583a35ec5af57f202f6d06b30
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E1D05E784203148B8724AF25FC957293BADFB407017801416E4058B630F3B4EA8287D1

                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                              Function 00C4EEB0 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 444pipeprocessfileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 802 c4eeb0-c4efc4 call c49e60 805 c4efc6 802->805 806 c4efd0-c4f013 CreatePipe 802->806 805->806 807 c4f015-c4f033 806->807 808 c4f038-c4f048 806->808 811 c4f3cc-c4f3f2 807->811 809 c4f07f-c4f0ae SetHandleInformation CreatePipe 808->809 810 c4f04a-c4f061 808->810 814 c4f104-c4f12e 809->814 815 c4f0b0-c4f0cd 809->815 812 c4f075 810->812 813 c4f063-c4f073 810->813 816 c4f5df-c4f5eb 811->816 817 c4f3f8-c4f40f 811->817 812->809 813->809 822 c4f140-c4f165 SetHandleInformation 814->822 823 c4f130-c4f13b 814->823 820 c4f377-c4f3a3 CloseHandle 815->820 821 c4f0d3-c4f0ff 815->821 819 c4f5f1-c4f610 call c26660 816->819 818 c4f415-c4f425 817->818 817->819 818->819 833 c4f617-c4f637 819->833 826 c4f3a5-c4f3a9 CloseHandle 820->826 827 c4f3af-c4f3c6 820->827 821->820 824 c4f197-c4f214 call c49e60 * 2 822->824 825 c4f167-c4f176 822->825 823->822 837 c4f216-c4f222 824->837 838 c4f228-c4f26e 824->838 830 c4f184-c4f191 825->830 831 c4f178-c4f182 825->831 826->827 827->811 827->833 830->824 831->824 837->838 839 c4f297-c4f2de CreateProcessA 838->839 840 c4f270-c4f290 838->840 841 c4f325-c4f337 839->841 842 c4f2e0-c4f306 839->842 840->839 843 c4f33d-c4f33f 841->843 842->843 844 c4f308-c4f323 842->844 845 c4f345 843->845 846 c4f42a-c4f44e WriteFile 843->846 844->843 849 c4f34f-c4f36d CloseHandle * 2 845->849 847 c4f450-c4f469 846->847 848 c4f49f-c4f4b1 846->848 847->849 850 c4f46f-c4f48a 847->850 851 c4f4d0-c4f500 CloseHandle * 2 848->851 852 c4f4b3-c4f4c9 848->852 849->820 850->849 853 c4f490-c4f49a 850->853 854 c4f502 851->854 855 c4f50c-c4f5d8 call c41720 WaitForSingleObject CloseHandle * 2 851->855 852->851 853->849 854->855 855->816
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000,00000001), ref: 00C4F00B
                                                                                                                                                                                                              • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00C4F086
                                                                                                                                                                                                              • CreatePipe.KERNEL32(?,00000000,0000000C,00000000), ref: 00C4F0A6
                                                                                                                                                                                                              • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00C4F147
                                                                                                                                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 00C4F2C2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C4F353
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 00C4F367
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C4F37B
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C4F3A9
                                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C4F446
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C4F4D4
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C4F4E8
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,00002710), ref: 00C4F56B
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 00C4F586
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 00C4F5A7
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                              • String ID: ;8\w$<,]8$D
                                                                                                                                                                                                              • API String ID: 1130065513-4129721015
                                                                                                                                                                                                              • Opcode ID: b4a01b9094b357c70b3e22e30c83272c8e211c53b8f5738fc36d28c5223fb3a9
                                                                                                                                                                                                              • Instruction ID: 01ef8e09c7d39b3fcec481019ec6bbc3597065f85c91c44083ee7afdf543c2eb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b4a01b9094b357c70b3e22e30c83272c8e211c53b8f5738fc36d28c5223fb3a9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7012B179A10305DFC728CF66ED91BAE37B5FB54712B10812EE802E7674E7B49981CB50
                                                                                                                                                                                                              Function 00C4B7F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387processCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1227 c4b7f0-c4b82d 1228 c4b82f-c4b857 1227->1228 1229 c4b86a-c4b8d6 1227->1229 1228->1229 1230 c4b859-c4b865 1228->1230 1231 c4b8e8-c4b926 CreateToolhelp32Snapshot 1229->1231 1232 c4b8d8-c4b8e3 1229->1232 1230->1229 1233 c4ba05-c4ba43 1231->1233 1234 c4b92c-c4b93b 1231->1234 1232->1231 1235 c4ba45-c4ba55 1233->1235 1236 c4ba8d-c4bab9 Process32First 1233->1236 1237 c4b947-c4b99a call c25730 call c438a0 1234->1237 1238 c4b93d 1234->1238 1242 c4ba57-c4ba6b 1235->1242 1243 c4ba6d-c4ba87 1235->1243 1239 c4bacf-c4bad1 1236->1239 1240 c4babb-c4bac8 1236->1240 1253 c4b99c-c4b9b1 1237->1253 1254 c4b9bf-c4b9d8 1237->1254 1238->1237 1244 c4bad7-c4bada 1239->1244 1245 c4be7e-c4bebd CloseHandle 1239->1245 1240->1239 1242->1236 1243->1236 1247 c4bae0 1244->1247 1248 c4bae3-c4bb54 call c240b0 1244->1248 1247->1248 1255 c4bc51-c4bca8 CreateToolhelp32Snapshot 1248->1255 1256 c4bb5a-c4bb96 call c25730 1248->1256 1257 c4b9b3-c4b9bd 1253->1257 1258 c4b9de-c4ba04 call c43840 1253->1258 1254->1258 1259 c4bcca-c4bcd7 1255->1259 1260 c4bcaa-c4bcc8 1255->1260 1268 c4bbae-c4bbbb 1256->1268 1269 c4bb98-c4bbac 1256->1269 1257->1258 1263 c4bcde-c4bcee Module32First 1259->1263 1260->1263 1266 c4bcf0-c4bd02 1263->1266 1267 c4bd31-c4bd5e call c25730 1263->1267 1270 c4bd04 1266->1270 1271 c4bd0e-c4bd2c call c438a0 1266->1271 1279 c4bd60 1267->1279 1280 c4bd6a-c4bdad call c438a0 call c43840 1267->1280 1272 c4bbc0-c4bc19 call c2bba0 call c43840 1268->1272 1269->1272 1270->1271 1282 c4bdb4-c4bdc3 1271->1282 1291 c4bc39-c4bc47 call c438a0 1272->1291 1292 c4bc1b-c4bc31 1272->1292 1279->1280 1280->1282 1285 c4bdc5-c4bde1 1282->1285 1286 c4bdea 1282->1286 1289 c4bdf4-c4be62 call c25f40 CloseHandle Process32Next 1285->1289 1290 c4bde3-c4bde8 1285->1290 1286->1289 1299 c4be64 1289->1299 1300 c4be6e-c4be70 1289->1300 1290->1289 1291->1255 1292->1291 1295 c4bc33 1292->1295 1295->1291 1299->1300 1300->1247 1301 c4be76-c4be79 1300->1301 1301->1245
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00C4B8EC
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,00000128), ref: 00C4BA96
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFirstProcess32SnapshotToolhelp32
                                                                                                                                                                                                              • String ID: 9y8
                                                                                                                                                                                                              • API String ID: 2353314856-3592070472
                                                                                                                                                                                                              • Opcode ID: 30fcde7de3886b4f75e5fc831f327378148b6d3deed390a88901523668ce0f57
                                                                                                                                                                                                              • Instruction ID: 5a981726b936463b42c025025e10217c102ddf8a4acd4d7fc7767faa8541fd5f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 30fcde7de3886b4f75e5fc831f327378148b6d3deed390a88901523668ce0f57
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FBF1F279A103118BC728CF2AED9277E37F5FB94312B14821AE406E72B4E7B49981DB51
                                                                                                                                                                                                              Function 00C38200 Relevance: 13.7, APIs: 9, Instructions: 167serviceCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00C3826F
                                                                                                                                                                                                              • CreateServiceA.ADVAPI32(00000000,00F63FE8,00F63FE8,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00C382CA
                                                                                                                                                                                                              • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00C38301
                                                                                                                                                                                                              • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00C38323
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00C3833A
                                                                                                                                                                                                              • OpenServiceA.ADVAPI32(00000000,00F63FE8,00000010), ref: 00C3838B
                                                                                                                                                                                                              • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00C383C2
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00C38408
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00C38481
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3525021261-0
                                                                                                                                                                                                              • Opcode ID: 0e838e06b8785c7908354440433ad9990493afbb4a7799af6d4550d034746d48
                                                                                                                                                                                                              • Instruction ID: afe736519a34db089f2a2e520e674b434682a6b41ddf92132de2ee14333fd2b7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0e838e06b8785c7908354440433ad9990493afbb4a7799af6d4550d034746d48
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FF61BB79A147019BD324CB2AFC96B3E37F4F794B02F14411AE802E66B0EBB499C5CB41
                                                                                                                                                                                                              Function 00C260A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186filesleepCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00C240B0: lstrlen.KERNEL32(?,?,00C21038,?), ref: 00C240DD
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 00C26189
                                                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?), ref: 00C26274
                                                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 00C2632E
                                                                                                                                                                                                              • FindNextFileA.KERNEL32(?,?), ref: 00C26384
                                                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 00C263AA
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FileFind$CloseDeleteFirstNextSleeplstrlen
                                                                                                                                                                                                              • String ID: ysh
                                                                                                                                                                                                              • API String ID: 3282225923-1904326249
                                                                                                                                                                                                              • Opcode ID: 7d76687d16e112ba32ec1badb49ea906a557971391a35faac4b3352bfdb74667
                                                                                                                                                                                                              • Instruction ID: 278b63c5cd9da670589dcce28745b520fb6a0bd96edcd45e1e38d129e6a88377
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7d76687d16e112ba32ec1badb49ea906a557971391a35faac4b3352bfdb74667
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4E81D0799003149FC738CF66FD82BAE77B5FB94311F14815AE506A72B0EBB09A81CB51
                                                                                                                                                                                                              Function 00C4A050 Relevance: 7.8, APIs: 5, Instructions: 288serviceCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000,00000001), ref: 00C4A124
                                                                                                                                                                                                              • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,0000000A,?,00000000,?,00000000,00000001), ref: 00C4A164
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00000000,00000001), ref: 00C4A176
                                                                                                                                                                                                              • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,-0000001A,0000000A,?,00000000,00000001), ref: 00C4A24F
                                                                                                                                                                                                                • Part of subcall function 00C2BBA0: wvsprintfA.USER32(00000000,?,00C409D1), ref: 00C2BBEB
                                                                                                                                                                                                              • CloseServiceHandle.ADVAPI32(00000000,00000001), ref: 00C4A44C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenServicewvsprintf
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 475583450-0
                                                                                                                                                                                                              • Opcode ID: 594178828c7b078a2a6e08487dc62ac7a682f7a6166af5657b0c5c1379b2a2ce
                                                                                                                                                                                                              • Instruction ID: 25a56536193cc54c083ddf711098abe94a30b895370eb34e9a6e02d142cfda68
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 594178828c7b078a2a6e08487dc62ac7a682f7a6166af5657b0c5c1379b2a2ce
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A6C1C275A10300DBD728CF66FD81B6E77F5FB98301F00812AE506EB2A0E7B09981CB52
                                                                                                                                                                                                              Function 00C403B9 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 420COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID: !|/0$/$@(l$
                                                                                                                                                                                                              • API String ID: 0-3106747989
                                                                                                                                                                                                              • Opcode ID: 62a27755e7b2cd2d9bc1a2d61d89aa1b7a1525f3ac2cbfba381bf8b96f30cf1d
                                                                                                                                                                                                              • Instruction ID: f9f0bbc937961a0a6efce8afaa14585f164f02b57a0e9e8c9731bd67e3228c2c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 62a27755e7b2cd2d9bc1a2d61d89aa1b7a1525f3ac2cbfba381bf8b96f30cf1d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A50237799103108BC728DF65FC92BBE77B5FB50302F14812AE506A72E2EBB05A85DF51
                                                                                                                                                                                                              Function 00C2B150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156filetimeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00C2B1D7
                                                                                                                                                                                                              • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00C2B256
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C2B26B
                                                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C2B2E7
                                                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00C2B31A
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C2B334
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                              • String ID: td9k
                                                                                                                                                                                                              • API String ID: 3236713533-1579400769
                                                                                                                                                                                                              • Opcode ID: a2f9ad8818275fe3093486bd5c2f28add0982fa80407cfbd3cead665d4809743
                                                                                                                                                                                                              • Instruction ID: 59c71cd85bb24754a791db859f5a2488f2ac14479dcc173ae46c4993fbed2ef9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a2f9ad8818275fe3093486bd5c2f28add0982fa80407cfbd3cead665d4809743
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6151BE79A113059BC324CF6AFC81B6E77B4FB84315F14825AE805EB6A0E7B09D81CF85
                                                                                                                                                                                                              Function 00C2B531 Relevance: 12.2, APIs: 8, Instructions: 188registrysynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegisterServiceCtrlHandlerA.ADVAPI32(00F63FE8,Function_00014290,E4E0A1C8,?,00000072), ref: 00C2B669
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,00C667EC,?,00000072), ref: 00C2B70D
                                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000072), ref: 00C2B721
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,00C667EC,?,00000072), ref: 00C2B771
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,00001388,?,00000072), ref: 00C2B7D0
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,00C667EC,00000072), ref: 00C2B82A
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C2B841
                                                                                                                                                                                                              • SetServiceStatus.ADVAPI32(00000000,00C667EC), ref: 00C2B8AA
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3399922960-0
                                                                                                                                                                                                              • Opcode ID: 47b708a90b18336683586aa5225080a29007cc1f06000f25ce098f9fecc4b0e2
                                                                                                                                                                                                              • Instruction ID: 39497ead33e6e4802ce9c20eaccc27a0af33e47a3622822900902169b136cbb2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 47b708a90b18336683586aa5225080a29007cc1f06000f25ce098f9fecc4b0e2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E981AB795113118FC328CF27FD95B2E3BA5F798706B00852AE452DB6B4EBF49885CB40
                                                                                                                                                                                                              Function 00C4A760 Relevance: 10.8, APIs: 7, Instructions: 266fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,000000FF), ref: 00C4A7F1
                                                                                                                                                                                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,000000FF), ref: 00C4A849
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,000000FF), ref: 00C4A885
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00C4A8B8
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00C4AA75
                                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,000000FF,?,?,00000000), ref: 00C4AAC8
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C4AAE2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3478262135-0
                                                                                                                                                                                                              • Opcode ID: 6bcea7c1e658168f33fb9aedfc2950abf94c4de7c062fc996d4ab7eab259bc74
                                                                                                                                                                                                              • Instruction ID: 399071e6b7019a3282550c9bab9fc3b6edde57d4257d3cc74b23c537e1f46ef2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6bcea7c1e658168f33fb9aedfc2950abf94c4de7c062fc996d4ab7eab259bc74
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 48A111796003109FD324DF26EC82B7E33B5FB88712F14411AF805E72A4E7B49881DB96
                                                                                                                                                                                                              Function 00C41E90 Relevance: 10.7, APIs: 7, Instructions: 238processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C41F5E
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,00000128), ref: 00C41FDC
                                                                                                                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C420A2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3397401024-0
                                                                                                                                                                                                              • Opcode ID: 196b2614437a218df9c31e85585ddcaceb1f69257e7860745ee1d0f77e839c51
                                                                                                                                                                                                              • Instruction ID: 0c22815f6a45fc00360ef1625713fd14410cbca0d40cf4e9a3030f933a9ddd72
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 196b2614437a218df9c31e85585ddcaceb1f69257e7860745ee1d0f77e839c51
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B3A1ACB9A01310CBD728DF26ED927AD77B5FB54312B10421AE806EA274E7B49A85CF50
                                                                                                                                                                                                              Function 00C4BADC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00C240B0: lstrlen.KERNEL32(?,?,00C21038,?), ref: 00C240DD
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000000), ref: 00C4BC6C
                                                                                                                                                                                                              • Module32First.KERNEL32(00000000,00000224), ref: 00C4BCE6
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 00C4BE0E
                                                                                                                                                                                                              • Process32Next.KERNEL32(?,00000128), ref: 00C4BE48
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00C4BE96
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandle$CreateFirstModule32NextProcess32SnapshotToolhelp32lstrlen
                                                                                                                                                                                                              • String ID: 9y8
                                                                                                                                                                                                              • API String ID: 2493088380-3592070472
                                                                                                                                                                                                              • Opcode ID: bc2a9a8c608fd580a8be1590da89b2f7afc097c82f6181f4b0a8448afbcfbf4b
                                                                                                                                                                                                              • Instruction ID: 87e42218570d7874c499c591672e39235957a8199cdc65450910efda2d370e89
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bc2a9a8c608fd580a8be1590da89b2f7afc097c82f6181f4b0a8448afbcfbf4b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4B71D275A00301CBDB28DF2AED92B7E37F5FB94311B10825AE806D7264EBB49D81CB51
                                                                                                                                                                                                              Function 00C41FF6 Relevance: 7.7, APIs: 5, Instructions: 157COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00C32290: lstrlen.KERNEL32(?), ref: 00C322A2
                                                                                                                                                                                                                • Part of subcall function 00C32290: CharLowerBuffA.USER32(?,00000000), ref: 00C322BE
                                                                                                                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C420A2
                                                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00C42132
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C4217B
                                                                                                                                                                                                              • Process32Next.KERNEL32(00000000,00000128), ref: 00C42228
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00C4227B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandleProcess$BuffCharLowerNextOpenProcess32Terminatelstrlen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3465298759-0
                                                                                                                                                                                                              • Opcode ID: d415e5d1d141a166dd80f2df999c3f095c7d1480ece47de94d0e6585d9ff1028
                                                                                                                                                                                                              • Instruction ID: 95345730cbf33f9fc6f287cf766c15185f8e17b7cc0699fdfad0047a7ca68599
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d415e5d1d141a166dd80f2df999c3f095c7d1480ece47de94d0e6585d9ff1028
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D661EF79A01300CBC728DF16ED92BAD77B5FB54316B10421AE902EB274E7B4AE81CF54
                                                                                                                                                                                                              Function 00C41950 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,00C48262,Function_00001300,00000001,?), ref: 00C4199B
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 00C419C2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00C48262,Function_00001300,00000001,?), ref: 00C419DD
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00C48262,Function_00001300,00000001,?), ref: 00C419F2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,000000FF,?,00C48262,Function_00001300,00000001,?), ref: 00C41A19
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1404307249-0
                                                                                                                                                                                                              • Opcode ID: 1d673c09347c5b778a0d9f49783e3cd5ffb13ad175b7031af4138df21d9ddba4
                                                                                                                                                                                                              • Instruction ID: 60b3a6737ce8111001ba2042f8d83a399b39eac78a1103c10109da9b3f091cd3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1d673c09347c5b778a0d9f49783e3cd5ffb13ad175b7031af4138df21d9ddba4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E021B47A2003009FD324DF61ED96B1A3BA4FB48711F10861AF556EB6B4D7F0D880CB55
                                                                                                                                                                                                              Function 00C37110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00C37221
                                                                                                                                                                                                              • RegSetValueExA.ADVAPI32(?,00F64A38,00000000,00000001,?,00000000), ref: 00C372E0
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00C37300
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseOpenValue
                                                                                                                                                                                                              • String ID: IR
                                                                                                                                                                                                              • API String ID: 779948276-3379982419
                                                                                                                                                                                                              • Opcode ID: 529507cd00321d5269b605191b6524bfb3f76dc89c403a6ac5eab91421aee697
                                                                                                                                                                                                              • Instruction ID: 4354206dd284ed0ebcce9cd3b6dc899cb20abeda9d527e6a538c0b336282b113
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 529507cd00321d5269b605191b6524bfb3f76dc89c403a6ac5eab91421aee697
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1041357A6202109BD724DF26EC81B7E37B5F798722B14421AE806D7770E7F88881DB55
                                                                                                                                                                                                              Function 00C438B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000008,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00C43A0F
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00C43A3E
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00C43A52
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                              • String ID: D
                                                                                                                                                                                                              • API String ID: 2922976086-2746444292
                                                                                                                                                                                                              • Opcode ID: 52bda8bfd04f5d61deb6ccad09312c75790ffd7867c6425c7350b1143a0ecdf3
                                                                                                                                                                                                              • Instruction ID: e740a4b00dc3a4562ba6c729d6c39bb989ccd98d4d4b6cb8efe2c1346cc09aa2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 52bda8bfd04f5d61deb6ccad09312c75790ffd7867c6425c7350b1143a0ecdf3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3D4113759003049FD728DF5AEC91B6D37B5FB98712F10401AE506EB2B4E7F0A985CB85
                                                                                                                                                                                                              Function 00C4E880 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00C4E966
                                                                                                                                                                                                              • ReadFile.KERNEL32(00000000,?,00005000,00000000,00000000), ref: 00C4E9D7
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00C4EADD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandleRead
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1035965006-0
                                                                                                                                                                                                              • Opcode ID: e14053cf4295a43ae8c6d91044ca84d44e21ee1916df757bade71461a46187fc
                                                                                                                                                                                                              • Instruction ID: b830d925e9e655bda780b2e2dd6e70e686c9a3d470e33ace28bdd9ca2414c7c6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e14053cf4295a43ae8c6d91044ca84d44e21ee1916df757bade71461a46187fc
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A281AC796003049FD328DF6AFC92B6E37B5F794312F104519E906A72E1DBB0A981CB95
                                                                                                                                                                                                              Function 00C3C250 Relevance: 6.1, APIs: 4, Instructions: 148processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C3C312
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,?), ref: 00C3C35A
                                                                                                                                                                                                              • Process32Next.KERNEL32(00000000,00000128), ref: 00C3C478
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Process32$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1238713047-0
                                                                                                                                                                                                              • Opcode ID: e95dd7a08abb2b9165c934ef63315e95f72ef5e48f8c60781c84c3b750a17a7a
                                                                                                                                                                                                              • Instruction ID: 58d835429f4d65483950b2ba509ebf8f5a9f623c4108c45134b984bd6b832ff1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e95dd7a08abb2b9165c934ef63315e95f72ef5e48f8c60781c84c3b750a17a7a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 04510579510311CBD724CF22FD957BD37B5FB44305F10811AE946AA6B4EBB48980CF91
                                                                                                                                                                                                              Function 00C4FAD0 Relevance: 6.0, APIs: 4, Instructions: 28memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00C50A87,00000000,?,?,?,?,?,00000001), ref: 00C4FAF7
                                                                                                                                                                                                              • RtlReAllocateHeap.NTDLL(00000000,?,00C50A87,00000000), ref: 00C4FAFE
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,00C50A87,00000000,?,?,?,?,?,00000001), ref: 00C4FB19
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000,?,00C50A87,00000000,?,?,?,?,?,00000001), ref: 00C4FB20
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1154092256-0
                                                                                                                                                                                                              • Opcode ID: 6a9b307513d07751938ce3d6bfdcf9cb6a5d614583be97fec7e5e32c2671081f
                                                                                                                                                                                                              • Instruction ID: 5be6cd3ae5cf836648234f24263f2f80258bc19e9797f044cc22d0c713257890
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6a9b307513d07751938ce3d6bfdcf9cb6a5d614583be97fec7e5e32c2671081f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7FF01C75111304EFDB149FB1EC09B6E3BA8FB88612F108108F919A75A0DB719981CB61
                                                                                                                                                                                                              Function 00C23DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetSystemTimeAsFileTime.KERNEL32(00000001,00000001,00000000,00000001,00000000), ref: 00C23E43
                                                                                                                                                                                                              • __aulldiv.LIBCMT ref: 00C23E74
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Time$FileSystem__aulldiv
                                                                                                                                                                                                              • String ID: L9<8
                                                                                                                                                                                                              • API String ID: 2838486344-2160928743
                                                                                                                                                                                                              • Opcode ID: 5e4bdf103d32c12a6550758f118c10bdab541659b43494e8eb48d7298e38a550
                                                                                                                                                                                                              • Instruction ID: 9239562ddc877d5857c0f034668051a1bfe336b3bfbb5b067fded4b9c01aa179
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e4bdf103d32c12a6550758f118c10bdab541659b43494e8eb48d7298e38a550
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E8413779A103608BC728CF46FD9173D37B2FB98716710415ED403ABAB0D7B89981CB80
                                                                                                                                                                                                              Function 00C499B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000005.00000002.2171915684.0000000000C21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171895436.0000000000C20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171945906.0000000000C52000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171960198.0000000000C53000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2171975609.0000000000C6E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000005.00000002.2172027878.0000000000C6F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_c20000_qbpabupgx.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountSystemTickTime
                                                                                                                                                                                                              • String ID: @(l$
                                                                                                                                                                                                              • API String ID: 2164215191-2034585603
                                                                                                                                                                                                              • Opcode ID: 5d0946abebe117be274e0f7781dda57462e58ecd51f681c3de96a397c4971dfe
                                                                                                                                                                                                              • Instruction ID: 9550a4657eff1512485e41336893dfbaf89ff2b382da7831bce0c929ceae53a7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5d0946abebe117be274e0f7781dda57462e58ecd51f681c3de96a397c4971dfe
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2341907A9003108FC364CF2AFCC277E77B1FB94316314412AD846E6671EBB5A981EB51

                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                              Function 001100C8 Relevance: 56.1, APIs: 29, Strings: 2, Instructions: 1861sleepfilesynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 001103F9
                                                                                                                                                                                                              • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00110427
                                                                                                                                                                                                              • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 0011046A
                                                                                                                                                                                                              • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00110496
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00110587
                                                                                                                                                                                                              • GetCommandLineA.KERNEL32 ref: 0011063E
                                                                                                                                                                                                              • Sleep.KERNELBASE(000003E8), ref: 00110CDF
                                                                                                                                                                                                                • Part of subcall function 0010B150: CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0010B1D7
                                                                                                                                                                                                              • Sleep.KERNEL32(00000D05), ref: 00110BD2
                                                                                                                                                                                                                • Part of subcall function 0010B150: GetFileTime.KERNEL32(00000000,?,?,?), ref: 0010B256
                                                                                                                                                                                                                • Part of subcall function 0010B150: CloseHandle.KERNEL32(00000000), ref: 0010B26B
                                                                                                                                                                                                              • Sleep.KERNEL32(000007D0), ref: 00110DD1
                                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00110EA8
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00110ECC
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000000), ref: 00110EFE
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000002), ref: 001110B9
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 001110E7
                                                                                                                                                                                                              • GetCommandLineA.KERNEL32(00000000), ref: 0011120E
                                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 0011132B
                                                                                                                                                                                                                • Part of subcall function 00112290: lstrlen.KERNEL32(?), ref: 001122A2
                                                                                                                                                                                                                • Part of subcall function 00112290: CharLowerBuffA.USER32(?,00000000), ref: 001122BE
                                                                                                                                                                                                              • MessageBoxA.USER32(00000000,00000004,00000005,00000000), ref: 00111663
                                                                                                                                                                                                                • Part of subcall function 001072E0: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00107452
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00111AC5
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 00111AE1
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000000), ref: 00111B07
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(?,00000002), ref: 00111B43
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 00111CAC
                                                                                                                                                                                                              • WSAStartup.WS2_32(00000202,?), ref: 00111947
                                                                                                                                                                                                                • Part of subcall function 00122780: ExitProcess.KERNEL32 ref: 001227B0
                                                                                                                                                                                                              • Sleep.KERNEL32(000007D0), ref: 00111DFC
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(00146680,00000080), ref: 00111E27
                                                                                                                                                                                                              • CopyFileA.KERNEL32(?,00146680,00000000), ref: 00111E45
                                                                                                                                                                                                              • SetFileAttributesA.KERNEL32(00146680,00000002), ref: 00111E7B
                                                                                                                                                                                                                • Part of subcall function 0012C080: Sleep.KERNEL32(000003E8), ref: 0012C1C3
                                                                                                                                                                                                                • Part of subcall function 0010BBA0: wvsprintfA.USER32(00000000,?,001209D1), ref: 0010BBEB
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0002FE10,00000000,00000000,00000000), ref: 00112194
                                                                                                                                                                                                              • Sleep.KERNEL32(0000C350), ref: 00112210
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000009.00000002.3398045051.0000000000101000.00000020.00000001.01000000.00000007.sdmp, Offset: 00100000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398012120.0000000000100000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398086795.0000000000132000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398107567.0000000000133000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.0000000000136000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.000000000014B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.000000000014E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398187425.000000000014F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_9_2_100000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$AttributesSleep$Create$CopyMutex$CloseCommandHandleLineModuleName$BuffCharCountEnvironmentExitLowerMessageProcessStartupThreadTickTimeVariablelstrlenwvsprintf
                                                                                                                                                                                                              • String ID: C:\Windows\system32\config\systemprofile$x7;C
                                                                                                                                                                                                              • API String ID: 1500488346-1470472774
                                                                                                                                                                                                              • Opcode ID: ffffa3bf1f409cff062c8de5be5a2168513a0d4dd6cc6139a0c438b6f61909df
                                                                                                                                                                                                              • Instruction ID: a339e5f0b98a187b6ff5cecc69202004ea9c0cc61d18c20e1bacc4d9eca313ea
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ffffa3bf1f409cff062c8de5be5a2168513a0d4dd6cc6139a0c438b6f61909df
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E503E179A00200DBD718DF64FC92AAA77F6FB66314B40812AE501CBEB5E7B499C1CF51
                                                                                                                                                                                                              Function 00112490 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 918fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 438 112490-1124da call 12ee20 441 1124e6-1124f9 438->441 442 1124dc 438->442 443 112505-1125ca GetVersionExA call 12c640 call 11d0d0 441->443 444 1124fb 441->444 442->441 449 1125d0-1125e0 443->449 450 112758-11277f 443->450 444->443 451 1125e2-1125fb 449->451 452 112616 449->452 453 112789-1127c9 call 105730 call 10b980 450->453 454 11260a-112614 451->454 455 1125fd-112608 451->455 456 112620-112640 call 118090 452->456 467 1127e3-11281d call 123840 call 12e820 call 127610 call 123060 453->467 468 1127cb-1127db 453->468 454->456 455->456 462 112642-11264f 456->462 463 112656-1126a8 456->463 462->463 465 1126b4-11270c call 1250d0 CreateDirectoryA call 105730 463->465 466 1126aa 463->466 476 112711-112756 call 1250d0 call 123840 465->476 466->465 486 112823-1128b7 DeleteFileA RemoveDirectoryA 467->486 487 1128bc-11297f call 118090 call 1250d0 CreateDirectoryA call 12f8f0 467->487 468->467 471 1127dd 468->471 471->467 476->453 486->487 494 112981-1129a5 487->494 495 1129ab-112ad9 call 125860 CreateDirectoryA call 105730 call 1250d0 call 105730 call 123840 call 10b980 call 123840 call 12e820 call 127610 call 123060 487->495 494->495 516 113405-11340a 495->516 517 112adf-112af0 495->517 520 11340d-11341f 516->520 518 112af2-112b4f call 105730 call 10bba0 call 123840 517->518 519 112b54-112b99 call 105730 517->519 547 112c24-112c5e 518->547 529 112b9b-112ba8 519->529 530 112baa-112bc6 519->530 523 113421 520->523 524 11342b-11346c call 125860 SetFileAttributesA 520->524 523->524 532 1134b3-1134de call 129e60 524->532 533 11346e-11347d 524->533 534 112bcc-112c1e call 10bba0 call 123840 529->534 530->534 545 1134e0 532->545 546 1134ea-1134f5 call 130840 532->546 536 113496-1134ad 533->536 537 11347f-113494 533->537 534->547 536->532 537->532 545->546 550 112c60 547->550 551 112c6a-112cfe call 1250d0 CreateDirectoryA call 12f8f0 547->551 550->551 557 112d00-112d16 551->557 558 112d24-112d3e 551->558 559 112d45-112e4e call 125860 CreateDirectoryA call 105730 call 1250d0 call 105730 call 123840 call 10b980 call 123840 557->559 560 112d18-112d22 557->560 558->559 575 112e50-112e68 559->575 576 112e6f-112e94 call 12e820 call 127610 call 123060 559->576 560->559 575->576 583 112e9a-112f08 GetTempPathA call 1040b0 576->583 584 1133ee 576->584 588 113000-113015 583->588 589 112f0e 583->589 586 1133f1-113403 584->586 586->520 590 113017-113024 588->590 591 11302b-1130bb call 12f8f0 call 125860 CreateDirectoryA call 105730 588->591 592 112f13-112f2a 589->592 590->591 610 1130cd-11312d call 1250d0 call 105730 591->610 611 1130bd-1130c8 591->611 594 112f41-112f49 592->594 595 112f2c-112f3b 592->595 596 112f80-112fca 594->596 597 112f4b-112f5b 594->597 595->594 601 112ff6 596->601 602 112fcc-112fe8 596->602 599 112f75-112f79 597->599 600 112f5d-112f6d 597->600 599->592 606 112f7b 599->606 600->599 605 112f6f 600->605 601->588 602->601 607 112fea-112ff0 602->607 605->599 606->588 607->601 616 113139-1131ce call 123840 call 10b980 call 123840 call 12e820 call 127610 call 123060 610->616 617 11312f 610->617 611->610 630 1131d4-11324d GetTempPathA call 12f8f0 616->630 631 1133c7-1133ec 616->631 617->616 634 1132a5-1132d2 call 105730 630->634 635 11324f-113289 630->635 631->586 639 1132d4-1132e7 634->639 640 1132ee-113352 call 1250d0 call 123840 634->640 635->634 636 11328b-11329e 635->636 636->634 639->640 645 1133a3-1133c0 640->645 646 113354-11337f 640->646 645->631 647 113381-113395 646->647 648 113397-1133a1 646->648 647->631 648->631
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetVersionExA.KERNEL32(0014EAC8), ref: 00112572
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 001126EF
                                                                                                                                                                                                              • DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00112843
                                                                                                                                                                                                              • RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 0011289F
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0011293F
                                                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001129E1
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00112CAC
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00112D6E
                                                                                                                                                                                                              • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00112EB0
                                                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0011307B
                                                                                                                                                                                                              • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 001131FA
                                                                                                                                                                                                              • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 0011344D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000009.00000002.3398045051.0000000000101000.00000020.00000001.01000000.00000007.sdmp, Offset: 00100000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398012120.0000000000100000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398086795.0000000000132000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398107567.0000000000133000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.0000000000136000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.000000000014B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.000000000014E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398187425.000000000014F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_9_2_100000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                              • String ID: C:\Windows\system32\config\systemprofile$C:\daxjjwrfm\$Wq0O$\
                                                                                                                                                                                                              • API String ID: 1691758827-4043548932
                                                                                                                                                                                                              • Opcode ID: 8b7ce0d9a7a983f99c6529910d33350f70eaef474a15cbe50f89d3fc34916966
                                                                                                                                                                                                              • Instruction ID: b5f09ebe7e1b409dc3169d9df88d4ea5a70127dbe5c23682e8ac1ab0e605fd7a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8b7ce0d9a7a983f99c6529910d33350f70eaef474a15cbe50f89d3fc34916966
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5E8222B9A00211CBD718DF24FC92AAA37F5FB65310B40813AE901DBEB5E77499C1CB55
                                                                                                                                                                                                              Function 00123060 Relevance: 4.8, APIs: 3, Instructions: 287fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 690 123060-123093 call 11cb00 693 123095 690->693 694 12309f-1230b9 690->694 693->694 695 1230bb-1230cd 694->695 696 1230ee-12311f 694->696 695->696 697 1230cf-1230e8 695->697 698 123121-12312d 696->698 699 123144-12315f 696->699 697->696 700 123136-12313d 698->700 701 12312f-123134 698->701 702 123182-1231af call 106590 699->702 703 123161-12317b 699->703 700->699 701->699 706 1231b1-1231bb 702->706 707 1231bd-1231d9 702->707 703->702 708 1231fb-123203 706->708 707->708 709 1231db-1231f5 707->709 710 123253-12329a CreateFileA 708->710 711 123205-12323f call 105070 708->711 709->708 712 1232b0-1232b2 710->712 713 12329c-1232a9 710->713 718 123241 711->718 719 12324b-123252 711->719 716 123311-12333f 712->716 717 1232b4-1232f4 call 105070 712->717 713->712 721 123340-123350 716->721 725 1232f6-123303 717->725 726 123309-123310 717->726 718->719 723 123352-123381 721->723 724 123383-123394 721->724 727 12339e-1233b9 723->727 724->727 725->726 728 1233c5-1233f7 call 121a30 727->728 729 1233bb 727->729 732 1233f9-123406 728->732 733 12340d-12348d call 10aed0 WriteFile 728->733 729->728 732->733 733->721 736 123493-1234be 733->736 737 1234c0-1234ca 736->737 738 1234cc 736->738 739 1234d6-12350a CloseHandle 737->739 738->739 740 123527-123546 call 105070 739->740 741 12350c-123521 739->741 741->740
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0012327A
                                                                                                                                                                                                              • WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 0012344B
                                                                                                                                                                                                              • CloseHandle.KERNELBASE(?), ref: 001234DA
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000009.00000002.3398045051.0000000000101000.00000020.00000001.01000000.00000007.sdmp, Offset: 00100000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398012120.0000000000100000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398086795.0000000000132000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398107567.0000000000133000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.0000000000136000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.000000000014B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.000000000014E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398187425.000000000014F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_9_2_100000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1065093856-0
                                                                                                                                                                                                              • Opcode ID: 448f31a9aa7611a3bef47a201bd30ad5b9a01ac47414079fabc2cbe273007960
                                                                                                                                                                                                              • Instruction ID: 036af81348c3e2a2d06b69c4046d7fad184db21a7692efe9e69129e7014e05b5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 448f31a9aa7611a3bef47a201bd30ad5b9a01ac47414079fabc2cbe273007960
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 67C103B9A10610CBC304DF68FCC166A73F5F766725B10812AE806CBEB4E77899D1CB81
                                                                                                                                                                                                              Function 0010B150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156filetimeCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 649 10b150-10b1a7 650 10b1a9-10b1b5 649->650 651 10b1bb-10b1fc CreateFileA 649->651 650->651 652 10b21c-10b25e GetFileTime 651->652 653 10b1fe-10b21b 651->653 654 10b260-10b283 CloseHandle 652->654 655 10b284-10b2ac 652->655 656 10b2b8-10b34a call 12f840 GetFileSize CloseHandle 655->656 657 10b2ae 655->657 660 10b36c-10b36f 656->660 661 10b34c-10b35e 656->661 657->656 663 10b371-10b38b 660->663 664 10b38c-10b39e 660->664 661->660 662 10b360-10b365 661->662 662->660
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0010B1D7
                                                                                                                                                                                                              • GetFileTime.KERNEL32(00000000,?,?,?), ref: 0010B256
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0010B26B
                                                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010B2E7
                                                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 0010B31A
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0010B334
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000009.00000002.3398045051.0000000000101000.00000020.00000001.01000000.00000007.sdmp, Offset: 00100000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398012120.0000000000100000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398086795.0000000000132000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398107567.0000000000133000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.0000000000136000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.000000000014B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.000000000014E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398187425.000000000014F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_9_2_100000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                              • String ID: td9k
                                                                                                                                                                                                              • API String ID: 3236713533-1579400769
                                                                                                                                                                                                              • Opcode ID: c1d81fb912955a8a9d090f627865ee9d6df08b6bcdcae11b9d877f58dec2e1a8
                                                                                                                                                                                                              • Instruction ID: 8a527b6be2df563995667f8f6f4249aff792102c238269aa9f784e11913a3fbc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c1d81fb912955a8a9d090f627865ee9d6df08b6bcdcae11b9d877f58dec2e1a8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3451D179A15201ABC314DF69FC81A6A77F5FB85324F10825AE809CBAB4E77099C1CF85
                                                                                                                                                                                                              Function 0011C250 Relevance: 6.1, APIs: 4, Instructions: 148processCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 665 11c250-11c26e 666 11c270-11c28e 665->666 667 11c29a-11c2d0 665->667 666->667 668 11c290 666->668 669 11c2e2-11c326 CreateToolhelp32Snapshot 667->669 670 11c2d2-11c2dd 667->670 668->667 671 11c4e5-11c51e call 129e60 669->671 672 11c32c-11c381 Process32First 669->672 670->669 674 11c387 672->674 675 11c4ca-11c4db CloseHandle 672->675 677 11c390-11c3d5 call 12f8f0 674->677 675->671 680 11c3d7-11c3e7 677->680 681 11c3e9-11c40d 677->681 682 11c414-11c43f call 112290 call 121d60 680->682 681->682 687 11c441-11c49c Process32Next 682->687 688 11c4a4-11c4c3 682->688 687->677 689 11c4a2 687->689 688->675 689->675
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0011C312
                                                                                                                                                                                                              • Process32First.KERNEL32(00000000,?), ref: 0011C35A
                                                                                                                                                                                                              • Process32Next.KERNEL32(00000000,00000128), ref: 0011C478
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000009.00000002.3398045051.0000000000101000.00000020.00000001.01000000.00000007.sdmp, Offset: 00100000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398012120.0000000000100000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398086795.0000000000132000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398107567.0000000000133000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.0000000000136000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.000000000014B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.000000000014E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398187425.000000000014F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_9_2_100000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Process32$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1238713047-0
                                                                                                                                                                                                              • Opcode ID: 3b907b906c220b0de74af9c886fb23e7ba295b8dbfb13eea3c1a0f7ce3346c50
                                                                                                                                                                                                              • Instruction ID: b517087b3fd7be90fa9984c621cf8294527c08affdb274a7d5e119cd2dc8b6c4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3b907b906c220b0de74af9c886fb23e7ba295b8dbfb13eea3c1a0f7ce3346c50
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 025133B9905211CFD718CF20FDA56A937B6FB56315F00802AE9469BEB4EB7489C0CF91
                                                                                                                                                                                                              Function 0011C520 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1087 11c520-11c52d 1088 11c543-11c565 GetProcessHeap RtlFreeHeap 1087->1088 1089 11c52f-11c53c 1087->1089 1090 11c567-11c576 1088->1090 1091 11c57c-11c57d 1088->1091 1089->1088 1090->1091
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00130A4E,?,00130A4E,00000000), ref: 0011C549
                                                                                                                                                                                                              • RtlFreeHeap.NTDLL(00000000,?,00130A4E,00000000), ref: 0011C550
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000009.00000002.3398045051.0000000000101000.00000020.00000001.01000000.00000007.sdmp, Offset: 00100000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398012120.0000000000100000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398086795.0000000000132000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398107567.0000000000133000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.0000000000136000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.000000000014B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.000000000014E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398187425.000000000014F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_9_2_100000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$FreeProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3859560861-0
                                                                                                                                                                                                              • Opcode ID: fb2a2ab47133d8a839671f88502295e646f430773d5a670bd9a613e8240344bf
                                                                                                                                                                                                              • Instruction ID: 824675c196719a431b1611a2662b200d8602cbefda666e0aa685d18b7e116eb1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fb2a2ab47133d8a839671f88502295e646f430773d5a670bd9a613e8240344bf
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FCF0ED79A082049FDA089F18EC9AA6437F5EB05704B000409E906CBE70E770F8C0CBA9
                                                                                                                                                                                                              Function 00126D32 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1093 126d32-126dd1 call 102ef0 call 1020e0 call 125400 call 118660
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 001020E0: GetStdHandle.KERNEL32(000000F6,?,?,00126D5F), ref: 00102113
                                                                                                                                                                                                                • Part of subcall function 001020E0: GetStdHandle.KERNEL32(000000F5,?,?,00126D5F), ref: 00102145
                                                                                                                                                                                                                • Part of subcall function 001020E0: GetStdHandle.KERNEL32(000000F4,?,?,00126D5F), ref: 00102198
                                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 00126E44
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000009.00000002.3398045051.0000000000101000.00000020.00000001.01000000.00000007.sdmp, Offset: 00100000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398012120.0000000000100000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398086795.0000000000132000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398107567.0000000000133000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.0000000000136000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.000000000014B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398123158.000000000014E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000009.00000002.3398187425.000000000014F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_9_2_100000_tkjnbticppc.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Handle$ExitProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 256993070-0
                                                                                                                                                                                                              • Opcode ID: 512f9925ecdcd82cab13ded7a6cd19d53aaa454670480ca725bd627ffaf8c942
                                                                                                                                                                                                              • Instruction ID: c4cc4dc90143c31db55d8cdd9f6394097923e184f4adf9c96540535991cd5f4a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 512f9925ecdcd82cab13ded7a6cd19d53aaa454670480ca725bd627ffaf8c942
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6921B73EA116208BC748EF74FC9257533A3EB663213048515E8418BFB9FBB889C2C741