Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:1322389
MD5:21c68b05ac982cff12afcb9af3a5657d
SHA1:3651d8e4e0fdc66c1f888e34337ae2c13cb9b904
SHA256:19a4f6df26db3df254ccf6270b2abe2ef6bcf86264cd17acaa5a46995672bbe4
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Tofsee
Uses netsh to modify the Windows network and firewall settings
Query firmware table information (likely to detect VMs)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Writes to foreign memory regions
Changes security center settings (notifications, updates, antivirus, firewall)
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Found decision node followed by non-executed suspicious APIs
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Modifies existing windows services
Drops PE files
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Creates files inside the system directory
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains capabilities to detect virtual machines
Uses SMTP (mail sending)
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Queries disk information (often used to detect virtual machines)
Contains functionality to query network adapater information

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 5680 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5456 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5708 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6660 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 352 cmdline: "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe" -wdenable MD5: 31E905BFB19E7D184BB81F274A71B221)
      • conhost.exe (PID: 3320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
  • file.exe (PID: 7448 cmdline: C:\Users\user\Desktop\file.exe MD5: 21C68B05AC982CFF12AFCB9AF3A5657D)
    • cmd.exe (PID: 7624 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ptlohvde\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
    • cmd.exe (PID: 7680 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wdkncqjt.exe" C:\Windows\SysWOW64\ptlohvde\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
    • sc.exe (PID: 7752 cmdline: C:\Windows\System32\sc.exe" create ptlohvde binPath= "C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
    • sc.exe (PID: 7836 cmdline: C:\Windows\System32\sc.exe" description ptlohvde "wifi internet conection MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
    • sc.exe (PID: 7904 cmdline: "C:\Windows\System32\sc.exe" start ptlohvde MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
    • netsh.exe (PID: 7976 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
    • WerFault.exe (PID: 8124 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 632 MD5: F5210A4A7E411A1BAD3844586A74B574)
  • wdkncqjt.exe (PID: 7956 cmdline: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe /d"C:\Users\user\Desktop\file.exe" MD5: B11DD4A2DA4ABF719066A2DB8F95983F)
    • svchost.exe (PID: 6024 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 7240 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7956 -s 540 MD5: F5210A4A7E411A1BAD3844586A74B574)
  • svchost.exe (PID: 7984 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 8060 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7448 -ip 7448 MD5: F5210A4A7E411A1BAD3844586A74B574)
    • WerFault.exe (PID: 6288 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7956 -ip 7956 MD5: F5210A4A7E411A1BAD3844586A74B574)
  • svchost.exe (PID: 3360 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5896 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee

Malware Configuration

Threatname: Tofsee

{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.1576028208.0000000000EE0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000010.00000002.1576028208.0000000000EE0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    00000010.00000002.1576028208.0000000000EE0000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.3.file.exe.720000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        4.3.file.exe.720000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        4.3.file.exe.720000.0.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
        • 0xed10:$s2: loader_id
        • 0xed40:$s3: start_srv
        • 0xed70:$s4: lid_file_upd
        • 0xed64:$s5: localcfg
        • 0xf494:$s6: Incorrect respons
        • 0xf574:$s7: mx connect error
        • 0xf4f0:$s8: Error sending command (sent = %d/%d)
        • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        16.3.wdkncqjt.exe.ea0000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
          16.3.wdkncqjt.exe.ea0000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
          • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
          • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
          Click to see the 39 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: jotunheim.name:443URL Reputation: Label: malware
          Source: vanaheim.cn:443URL Reputation: Label: malware
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\wdkncqjt.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
          Found malware configuration
          Source: 16.3.wdkncqjt.exe.ea0000.0.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
          Multi AV Scanner detection for submitted file
          Source: file.exeReversingLabs: Detection: 34%
          Antivirus / Scanner detection for submitted sample
          Source: file.exeAvira: detected
          Machine Learning detection for sample
          Source: file.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\wdkncqjt.exeJoe Sandbox ML: detected

          Compliance

          barindex
          Detected unpacking (overwrites its own PE header)
          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 4.2.file.exe.400000.0.unpack
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeUnpacked PE file: 16.2.wdkncqjt.exe.400000.0.unpack
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
          Source: Binary string: C:\busoy\jigufab zakamiwir96 vovogimiwer-m.pdb source: file.exe, wdkncqjt.exe.4.dr
          Source: Binary string: [,C:\busoy\jigufab zakamiwir96 vovogimiwer-m.pdb source: file.exe, wdkncqjt.exe.4.dr

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 193.106.174.220 443Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.207.5 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.207.1 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.74 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.212.0 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.53.36 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.40.29 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.74 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 80.66.75.77 443Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: vanaheim.cn:443
          Source: Malware configuration extractorURLs: jotunheim.name:443
          Source: Joe Sandbox ViewASN Name: IQHOSTRU IQHOSTRU
          Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
          Source: Joe Sandbox ViewIP Address: 193.106.174.220 193.106.174.220
          Source: Joe Sandbox ViewIP Address: 40.93.207.5 40.93.207.5
          Source: global trafficTCP traffic: 192.168.2.3:49714 -> 40.93.207.5:25
          Source: global trafficTCP traffic: 192.168.2.3:49719 -> 40.93.207.1:25
          Source: global trafficTCP traffic: 192.168.2.3:49731 -> 40.93.212.0:25
          Source: global trafficTCP traffic: 192.168.2.3:49746 -> 104.47.54.36:25
          Source: global trafficTCP traffic: 192.168.2.3:49821 -> 52.101.40.29:25
          Source: global trafficTCP traffic: 192.168.2.3:49824 -> 98.136.96.74:25
          Source: global trafficTCP traffic: 192.168.2.3:49835 -> 67.195.204.74:25
          Source: global trafficTCP traffic: 192.168.2.3:49838 -> 104.47.53.36:25
          Source: svchost.exe, 00000026.00000002.3749729471.000002C2C4D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS</ds:KeyName></ds:KeyInfo><CipherData><Ci
          Source: svchost.exe, 00000026.00000003.3112243315.000002C2C5A58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750847365.000002C2C5A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tbpose
          Source: svchost.exe, 00000026.00000002.3750551269.000002C2C5A02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
          Source: svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3107442635.000002C2C5557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750444056.000002C2C5578000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750116583.000002C2C5500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3107367797.000002C2C5554000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
          Source: svchost.exe, 00000026.00000003.3107167741.000002C2C552D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:
          Source: svchost.exe, 00000026.00000003.3107442635.000002C2C5557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750444056.000002C2C5578000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750116583.000002C2C5500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3107367797.000002C2C5554000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
          Source: svchost.exe, 00000026.00000002.3750116583.000002C2C5500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdcuri
          Source: svchost.exe, 00000026.00000003.3107167741.000002C2C552D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=
          Source: svchost.exe, 00000026.00000002.3749548171.000002C2C4CB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
          Source: svchost.exe, 00000026.00000002.3750116583.000002C2C5500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
          Source: svchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
          Source: svchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750338270.000002C2C555F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750217722.000002C2C5513000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
          Source: svchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750338270.000002C2C555F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
          Source: svchost.exe, 00000026.00000002.3750217722.000002C2C5513000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scerence
          Source: svchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750338270.000002C2C555F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750217722.000002C2C5513000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
          Source: svchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
          Source: svchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
          Source: svchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
          Source: svchost.exe, 00000002.00000002.3746383824.0000018D1173F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3742838049.0000018D10E88000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.2.drString found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3091154069.000002C2C552A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3091154069.000002C2C552A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
          Source: svchost.exe, 00000026.00000002.3750725826.000002C2C5A49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
          Source: svchost.exe, 00000026.00000002.3749548171.000002C2C4CB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090887334.000002C2C556B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
          Source: svchost.exe, 00000026.00000003.3090887334.000002C2C556B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600er
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090887334.000002C2C556B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
          Source: svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf.srf
          Source: svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3749548171.000002C2C4CB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4CA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
          Source: svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/pps
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090887334.000002C2C556B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
          Source: svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090887334.000002C2C556B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
          Source: svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
          Source: svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090887334.000002C2C556B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfssuer
          Source: svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090887334.000002C2C556B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfssuer
          Source: svchost.exe, 00000026.00000002.3749729471.000002C2C4D02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
          Source: svchost.exe, 00000026.00000003.3090887334.000002C2C556B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srfueruer
          Source: svchost.exe, 00000026.00000003.3091154069.000002C2C552A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090887334.000002C2C556B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfr
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3091154069.000002C2C552A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
          Source: svchost.exe, 00000026.00000003.3090887334.000002C2C556B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
          Source: svchost.exe, 00000026.00000003.3091154069.000002C2C552A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfn
          Source: svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502T
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
          Source: svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806005
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
          Source: svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3091154069.000002C2C552A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3091154069.000002C2C552A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3091154069.000002C2C552A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3091154069.000002C2C552A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
          Source: svchost.exe, 00000026.00000003.3090792976.000002C2C5557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3091154069.000002C2C552A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090513626.000002C2C555A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
          Source: svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3091154069.000002C2C552A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
          Source: svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
          Source: svchost.exe, 00000026.00000003.3112243315.000002C2C5A58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
          Source: svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
          Source: svchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
          Source: svchost.exe, 00000026.00000002.3749548171.000002C2C4CB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
          Source: svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
          Source: svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
          Source: svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
          Source: unknownDNS traffic detected: queries for: microsoft-com.mail.protection.outlook.com
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,4_2_00402A62
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
          Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
          Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Yara detected Tofsee
          Source: Yara matchFile source: 4.3.file.exe.720000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.3.wdkncqjt.exe.ea0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.svchost.exe.25a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.ee0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.svchost.exe.25a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.file.exe.700e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.740e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.1576028208.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000003.1572907946.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.1409298622.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7448, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: wdkncqjt.exe PID: 7956, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 4.3.file.exe.720000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 4.3.file.exe.720000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.3.wdkncqjt.exe.ea0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.3.wdkncqjt.exe.ea0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 4.2.file.exe.700e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 4.2.file.exe.700e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.2.wdkncqjt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.2.wdkncqjt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 23.2.svchost.exe.25a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 23.2.svchost.exe.25a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.2.wdkncqjt.exe.ee0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.2.wdkncqjt.exe.ee0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 23.2.svchost.exe.25a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 23.2.svchost.exe.25a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.2.wdkncqjt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.2.wdkncqjt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 4.2.file.exe.700e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 4.2.file.exe.700e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 4.3.file.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 4.3.file.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.3.wdkncqjt.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.3.wdkncqjt.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.2.wdkncqjt.exe.ee0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.2.wdkncqjt.exe.ee0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.2.wdkncqjt.exe.740e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.2.wdkncqjt.exe.740e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.2.wdkncqjt.exe.740e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.2.wdkncqjt.exe.740e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000010.00000002.1576028208.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000010.00000002.1576028208.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000010.00000002.1575910314.0000000000619000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000004.00000002.1457392227.000000000090D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000010.00000003.1572907946.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000010.00000003.1572907946.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000004.00000003.1409298622.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000004.00000003.1409298622.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7448 -ip 7448
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0040C9134_2_0040C913
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeCode function: 16_2_0040C91316_2_0040C913
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_025AC91323_2_025AC913
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,4_2_00401280
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 4.3.file.exe.720000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 4.3.file.exe.720000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.3.wdkncqjt.exe.ea0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.3.wdkncqjt.exe.ea0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 4.2.file.exe.700e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 4.2.file.exe.700e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.2.wdkncqjt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.2.wdkncqjt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 23.2.svchost.exe.25a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 23.2.svchost.exe.25a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.2.wdkncqjt.exe.ee0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.2.wdkncqjt.exe.ee0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 23.2.svchost.exe.25a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 23.2.svchost.exe.25a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.2.wdkncqjt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.2.wdkncqjt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 4.2.file.exe.700e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 4.2.file.exe.700e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 4.3.file.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 4.3.file.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.3.wdkncqjt.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.3.wdkncqjt.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.2.wdkncqjt.exe.ee0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.2.wdkncqjt.exe.ee0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.2.wdkncqjt.exe.740e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.2.wdkncqjt.exe.740e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.2.wdkncqjt.exe.740e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.2.wdkncqjt.exe.740e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000010.00000002.1576028208.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000010.00000002.1576028208.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000010.00000002.1575910314.0000000000619000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000004.00000002.1457392227.000000000090D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000010.00000003.1572907946.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000010.00000003.1572907946.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000004.00000003.1409298622.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000004.00000003.1409298622.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ptlohvde\Jump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: String function: 007027AB appears 35 times
          Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040EE2A appears 40 times
          Source: C:\Users\user\Desktop\file.exeCode function: String function: 00402544 appears 53 times
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,4_2_00408E26
          Source: file.exe, 00000004.00000002.1457408755.0000000000922000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegolfstikator.exe> vs file.exe
          Source: file.exe, 00000004.00000000.1282840177.00000000005A0000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamegolfstikator.exe> vs file.exe
          Source: file.exeBinary or memory string: OriginalFilenamegolfstikator.exe> vs file.exe
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_4-14596
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_16-14693
          Source: classification engineClassification label: mal100.troj.evad.winEXE@40/5@18/10
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,HeapCreate,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,4_2_00409A6B
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeCode function: 16_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,HeapCreate,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,16_2_00409A6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_025A9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,23_2_025A9A6B
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,HeapCreate,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,4_2_00409A6B
          Source: file.exeReversingLabs: Detection: 34%
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ptlohvde\
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wdkncqjt.exe" C:\Windows\SysWOW64\ptlohvde\
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ptlohvde binPath= "C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ptlohvde "wifi internet conection
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ptlohvde
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe /d"C:\Users\user\Desktop\file.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7448 -ip 7448
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 632
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7956 -ip 7956
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7956 -s 540
          Source: C:\Windows\System32\svchost.exeProcess created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe" -wdenable
          Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: C:\Windows\System32\svchost.exeProcess created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe" -wdenableJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ptlohvde\Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wdkncqjt.exe" C:\Windows\SysWOW64\ptlohvde\Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ptlohvde binPath= "C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi supportJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ptlohvde "wifi internet conectionJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ptlohvdeJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7448 -ip 7448Jump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 632Jump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7956 -ip 7956Jump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7956 -s 540Jump to behavior
          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\wdkncqjt.exeJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,CloseHandle,GetLastError,CloseHandle,DeleteFileA,GetLastError,4_2_00406A60
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00912102 CreateToolhelp32Snapshot,Module32First,4_2_00912102
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:8060:64:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3320:120:WilError_03
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6288:64:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: C:\busoy\jigufab zakamiwir96 vovogimiwer-m.pdb source: file.exe, wdkncqjt.exe.4.dr
          Source: Binary string: [,C:\busoy\jigufab zakamiwir96 vovogimiwer-m.pdb source: file.exe, wdkncqjt.exe.4.dr

          Data Obfuscation

          barindex
          Detected unpacking (overwrites its own PE header)
          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 4.2.file.exe.400000.0.unpack
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeUnpacked PE file: 16.2.wdkncqjt.exe.400000.0.unpack
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 4.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeUnpacked PE file: 16.2.wdkncqjt.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,4_2_00406069
          Source: initial sampleStatic PE information: section name: .text entropy: 7.56497347195729

          Persistence and Installation Behavior

          barindex
          Drops executables to the windows directory (C:\Windows) and starts them
          Source: unknownExecutable created and started: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\wdkncqjt.exeJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe (copy)Jump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe (copy)Jump to dropped file
          Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ptlohvdeJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ptlohvde binPath= "C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,HeapCreate,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,4_2_00409A6B

          Hooking and other Techniques for Hiding and Protection

          barindex
          Deletes itself after installation
          Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00401000
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Query firmware table information (likely to detect VMs)
          Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_16-15106
          Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-15043
          Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_23-6481
          Source: C:\Windows\SysWOW64\svchost.exe TID: 1548Thread sleep count: 1127 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 1548Thread sleep time: -1127000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 1548Thread sleep count: 8865 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 1548Thread sleep time: -8865000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_23-6440
          Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-15034
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_16-15077
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_23-6180
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_16-14709
          Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_4-14613
          Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 1127Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 8865Jump to behavior
          Source: C:\Users\user\Desktop\file.exeAPI coverage: 5.0 %
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeAPI coverage: 3.8 %
          Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_23-6150
          Source: C:\Users\user\Desktop\file.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_4-14782
          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_23-7452
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,23_2_025A199C
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeAPI call chain: ExitProcess graph end nodegraph_16-15080
          Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_23-6182
          Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_23-6442
          Source: svchost.exe, 00000000.00000002.3742954169.000001FA1D075000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: svchost.exe, 00000000.00000002.3739521061.000001FA1D013000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000000.00000002.3742954169.000001FA1D080000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000000.00000002.3741542961.000001FA1D054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: svchost.exe, 00000026.00000002.3746737495.000002C2C4C75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
          Source: svchost.exe, 00000026.00000002.3749548171.000002C2C4CEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: svchost.exe, 00000000.00000002.3739432670.000001FA1D000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
          Source: svchost.exe, 00000000.00000002.3742954169.000001FA1D075000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
          Source: svchost.exe, 00000000.00000002.3744363509.000001FA1D08D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
          Source: svchost.exe, 00000017.00000002.3739603621.0000000002A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,4_2_00401D96
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior

          Anti Debugging

          barindex
          Found API chain indicative of debugger detection
          Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_23-7676
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,4_2_00406069
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0070092B mov eax, dword ptr fs:[00000030h]4_2_0070092B
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00700D90 mov eax, dword ptr fs:[00000030h]4_2_00700D90
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_009119DF push dword ptr fs:[00000030h]4_2_009119DF
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeCode function: 16_2_0061D2A7 push dword ptr fs:[00000030h]16_2_0061D2A7
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeCode function: 16_2_0074092B mov eax, dword ptr fs:[00000030h]16_2_0074092B
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeCode function: 16_2_00740D90 mov eax, dword ptr fs:[00000030h]16_2_00740D90
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0040EBCC GetProcessHeap,RtlAllocateHeap,4_2_0040EBCC
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,HeapCreate,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,4_2_00409A6B
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeCode function: 16_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,HeapCreate,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,16_2_00409A6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_025A9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,23_2_025A9A6B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 193.106.174.220 443Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.207.5 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.207.1 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.74 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.212.0 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.53.36 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.40.29 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.74 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 80.66.75.77 443Jump to behavior
          Allocates memory in foreign processes
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 25A0000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 25A0000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 25A0000Jump to behavior
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2606008Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ptlohvde\Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wdkncqjt.exe" C:\Windows\SysWOW64\ptlohvde\Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ptlohvde binPath= "C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi supportJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ptlohvde "wifi internet conectionJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ptlohvdeJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7448 -ip 7448Jump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 632Jump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7956 -ip 7956Jump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7956 -s 540Jump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,4_2_00406EDD
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,4_2_00407809
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeQueries volume information: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,4_2_0040EC54
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,4_2_0040B211
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,4_2_00407809
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,4_2_0040405E
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,4_2_00409326

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Uses netsh to modify the Windows network and firewall settings
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Changes security center settings (notifications, updates, antivirus, firewall)
          Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
          Modifies the windows firewall
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
          Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
          Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
          Source: svchost.exe, 00000003.00000002.3746581915.0000028D7406E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: svchost.exe, 00000003.00000002.3749355979.0000028D74102000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Tofsee
          Source: Yara matchFile source: 4.3.file.exe.720000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.3.wdkncqjt.exe.ea0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.svchost.exe.25a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.ee0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.svchost.exe.25a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.file.exe.700e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.740e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.1576028208.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000003.1572907946.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.1409298622.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7448, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: wdkncqjt.exe PID: 7956, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Tofsee
          Source: Yara matchFile source: 4.3.file.exe.720000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.3.wdkncqjt.exe.ea0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.svchost.exe.25a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.ee0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.svchost.exe.25a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.file.exe.700e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.wdkncqjt.exe.740e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.1576028208.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000003.1572907946.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.1409298622.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7448, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: wdkncqjt.exe PID: 7956, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR
          Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,4_2_004088B0
          Source: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exeCode function: 16_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,16_2_004088B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_025A88B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,23_2_025A88B0

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          1
          Valid Accounts          		1
          Windows Management Instrumentation          		1
          Valid Accounts          		1
          Valid Accounts          		3
          Disable or Modify Tools          		OS Credential Dumping2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts41
          Native API          		14
          Windows Service          		1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth12
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts2
          Command and Scripting Interpreter          		Logon Script (Windows)14
          Windows Service          		2
          Obfuscated Files or Information          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts3
          Service Execution          		Logon Script (Mac)412
          Process Injection          		22
          Software Packing          		NTDS26
          System Information Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer112
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          File Deletion          		LSA Secrets251
          Security Software Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common12
          Masquerading          		Cached Domain Credentials23
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Valid Accounts          		DCSync1
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Access Token Manipulation          		Proc Filesystem1
          Application Window Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)23
          Virtualization/Sandbox Evasion          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)412
          Process Injection          		Network Sniffing1
          System Network Configuration Discovery          		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1322389 Sample: file.exe Startdate: 09/10/2023 Architecture: WINDOWS Score: 100 57 vanaheim.cn 2->57 59 mta6.am0.yahoodns.net 2->59 61 3 other IPs or domains 2->61 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 8 other signatures 2->75 8 wdkncqjt.exe 2->8         started        11 file.exe 2 2->11         started        14 svchost.exe 2->14         started        16 6 other processes 2->16 signatures3 process4 file5 83 Detected unpacking (changes PE section rights) 8->83 85 Detected unpacking (overwrites its own PE header) 8->85 87 Writes to foreign memory regions 8->87 97 2 other signatures 8->97 18 svchost.exe 1 8->18         started        22 WerFault.exe 2 8->22         started        55 C:\Users\user\AppData\Local\...\wdkncqjt.exe, PE32 11->55 dropped 89 Uses netsh to modify the Windows network and firewall settings 11->89 91 Modifies the windows firewall 11->91 24 cmd.exe 1 11->24         started        27 netsh.exe 2 11->27         started        29 cmd.exe 2 11->29         started        37 4 other processes 11->37 93 Changes security center settings (notifications, updates, antivirus, firewall) 14->93 31 MpCmdRun.exe 2 14->31         started        95 Query firmware table information (likely to detect VMs) 16->95 33 WerFault.exe 2 16->33         started        35 WerFault.exe 2 16->35         started        signatures6 process7 dnsIp8 63 mta6.am0.yahoodns.net 98.136.96.74, 25, 49824 YAHOO-NE1US United States 18->63 65 67.195.204.74, 25, 49835 YAHOO-3US United States 18->65 67 8 other IPs or domains 18->67 77 System process connects to network (likely due to code injection or exploit) 18->77 79 Found API chain indicative of debugger detection 18->79 81 Deletes itself after installation 18->81 53 C:\Windows\SysWOW64\...\wdkncqjt.exe (copy), PE32 24->53 dropped 39 conhost.exe 24->39         started        41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        47 conhost.exe 37->47         started        49 conhost.exe 37->49         started        51 conhost.exe 37->51         started        file9 signatures10 process11

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          file.exe34%ReversingLabsWin32.Trojan.Generic
          file.exe100%AviraHEUR/AGEN.1312677
          file.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\wdkncqjt.exe100%AviraTR/Crypt.XPACK.Gen
          C:\Users\user\AppData\Local\Temp\wdkncqjt.exe100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://schemas.mi0%URL Reputationsafe
          jotunheim.name:443100%URL Reputationmalware
          vanaheim.cn:443100%URL Reputationmalware
          http://crl.ver)0%Avira URL Cloudsafe
          http://Passport.NET/STS</ds:KeyName></ds:KeyInfo><CipherData><Ci0%Avira URL Cloudsafe
          http://Passport.NET/tbpose0%Avira URL Cloudsafe
          http://passport.net/tb0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          mta6.am0.yahoodns.net
          		98.136.96.74
          		truetrue
            		unknown
            jotunheim.name
            		80.66.75.77
            		truetrue
              		unknown
              microsoft-com.mail.protection.outlook.com
              		40.93.207.5
              		truefalse
                		high
                vanaheim.cn
                		193.106.174.220
                		truetrue
                  		unknown
                  yahoo.com
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    jotunheim.name:443true
                    • URL Reputation: malware
                    		unknown
                    vanaheim.cn:443true
                    • URL Reputation: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.misvchost.exe, 00000026.00000002.3750116583.000002C2C5500000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=svchost.exe, 00000026.00000003.3107167741.000002C2C552D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750338270.000002C2C555F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750217722.000002C2C5513000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3091154069.000002C2C552A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://account.live.com/msangcwamsvchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3091154069.000002C2C552A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfsvchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.ver)svchost.exe, 00000026.00000002.3750551269.000002C2C5A02000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdcurisvchost.exe, 00000026.00000002.3750116583.000002C2C5500000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://passport.net/tbsvchost.exe, 00000026.00000002.3749548171.000002C2C4CB0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750338270.000002C2C555F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750217722.000002C2C5513000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfsvchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://Passport.NET/STS</ds:KeyName></ds:KeyInfo><CipherData><Cisvchost.exe, 00000026.00000002.3749729471.000002C2C4D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:svchost.exe, 00000026.00000003.3107167741.000002C2C552D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://standards.iso.org/iso/19770/-2/2009/schema.xsdsvchost.exe, 00000002.00000002.3746383824.0000018D1173F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3742838049.0000018D10E88000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.2.drfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://Passport.NET/tbposesvchost.exe, 00000026.00000003.3112243315.000002C2C5A58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750847365.000002C2C5A59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfsvchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 00000026.00000003.3091042444.000002C2C5556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090566946.000002C2C5552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750338270.000002C2C555F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 00000026.00000002.3750250625.000002C2C5537000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfsvchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://login.microsoftonline.com/ppsecure/devicechangecredential.srfsvchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/02/scerencesvchost.exe, 00000026.00000002.3750217722.000002C2C5513000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 00000026.00000002.3746709876.000002C2C4C45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 00000026.00000003.3107442635.000002C2C5557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750444056.000002C2C5578000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750116583.000002C2C5500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3107367797.000002C2C5554000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090770009.000002C2C553B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://signup.live.com/signup.aspxsvchost.exe, 00000026.00000003.3090811556.000002C2C5540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 00000026.00000002.3746737495.000002C2C4C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3090852640.000002C2C5563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsvchost.exe, 00000026.00000002.3746653183.000002C2C4C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3107442635.000002C2C5557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750444056.000002C2C5578000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3750116583.000002C2C5500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3107367797.000002C2C5554000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high

                                                                                              World Map of Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public IPs

                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              193.106.174.220
                                                                                              		vanaheim.cnRussian Federation
                                                                                              		50465IQHOSTRUtrue
                                                                                              40.93.207.5
                                                                                              		microsoft-com.mail.protection.outlook.comUnited States
                                                                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                              52.101.40.29
                                                                                              		unknownUnited States
                                                                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                              40.93.207.1
                                                                                              		unknownUnited States
                                                                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                              98.136.96.74
                                                                                              		mta6.am0.yahoodns.netUnited States
                                                                                              		36646YAHOO-NE1UStrue
                                                                                              67.195.204.74
                                                                                              		unknownUnited States
                                                                                              		26101YAHOO-3UStrue
                                                                                              80.66.75.77
                                                                                              		jotunheim.nameRussian Federation
                                                                                              		20803RISS-ASRUtrue
                                                                                              40.93.212.0
                                                                                              		unknownUnited States
                                                                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                              104.47.54.36
                                                                                              		unknownUnited States
                                                                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                              104.47.53.36
                                                                                              		unknownUnited States
                                                                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

                                                                                              General Information

                                                                                              Joe Sandbox Version:38.0.0 Ammolite
                                                                                              Analysis ID:1322389
                                                                                              Start date and time:2023-10-09 21:01:10 +02:00
                                                                                              Joe Sandbox Product:CloudBasic
                                                                                              Overall analysis duration:0h 8m 49s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:44
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample file name:file.exe
                                                                                              Detection:MAL
                                                                                              Classification:mal100.troj.evad.winEXE@40/5@18/10
                                                                                              EGA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              • Number of executed functions: 62
                                                                                              • Number of non-executed functions: 259
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe
                                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 20.231.239.246, 20.76.201.171, 20.70.246.20, 20.236.44.162, 20.112.250.133, 20.190.151.67, 20.190.151.68, 20.190.151.134, 20.190.151.131, 20.190.151.69, 20.190.151.133, 20.190.151.8, 20.190.151.6
                                                                                              • Excluded domains from analysis (whitelisted): www.bing.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.trafficmanager.net, microsoft.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                              • VT rate limit hit for: file.exe

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              21:02:56API Interceptor3x Sleep call for process: MpCmdRun.exe modified
                                                                                              21:03:01API Interceptor64254x Sleep call for process: svchost.exe modified

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              193.106.174.220file.exeGet hashmaliciousTofseeBrowse
                                                                                                file.exeGet hashmaliciousTofseeBrowse
                                                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                                                      file.exeGet hashmaliciousTofseeBrowse
                                                                                                        file.exeGet hashmaliciousTofseeBrowse
                                                                                                          file.exeGet hashmaliciousTofseeBrowse
                                                                                                            file.exeGet hashmaliciousTofseeBrowse
                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                file.exeGet hashmaliciousTofseeBrowse
                                                                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                                                                      NkQsS8A3sk.exeGet hashmaliciousTofseeBrowse
                                                                                                                        file.exeGet hashmaliciousTofseeBrowse
                                                                                                                          file.exeGet hashmaliciousTofseeBrowse
                                                                                                                            file.exeGet hashmaliciousTofseeBrowse
                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                      40.93.207.5file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                        file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                          file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                            file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                      file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                        file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                          file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                            file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                      file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                        file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                          file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                            file.exeGet hashmaliciousTofseeBrowse

                                                                                                                                                                              Domains

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              mta6.am0.yahoodns.netfile.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 67.195.228.106
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 67.195.228.94
                                                                                                                                                                              .exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 98.136.96.91
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 98.136.96.76
                                                                                                                                                                              file.log.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 67.195.228.94
                                                                                                                                                                              data.log.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 67.195.228.109
                                                                                                                                                                              message.elm.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 67.195.204.79
                                                                                                                                                                              message.txt.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 98.136.96.77
                                                                                                                                                                              test.dat.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 98.136.96.77
                                                                                                                                                                              Update-KB7390-x86.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 67.195.228.110
                                                                                                                                                                              Update-KB6734-x86.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 67.195.228.111
                                                                                                                                                                              Update-KB5058-x86.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 98.136.96.77
                                                                                                                                                                              Update-KB78-x86.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 98.136.96.77
                                                                                                                                                                              file.txt.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 67.195.204.72
                                                                                                                                                                              Update-KB250-x86.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 98.136.96.74
                                                                                                                                                                              Update-KB2984-x86.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 67.195.204.79
                                                                                                                                                                              doc.msg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 67.195.228.94
                                                                                                                                                                              3hTS09wZ7G.exeGet hashmaliciousRaccoon RedLine SmokeLoader TofseeBrowse
                                                                                                                                                                              • 67.195.228.110
                                                                                                                                                                              DUpgpAnHkq.exeGet hashmaliciousRaccoon RedLine SmokeLoader TofseeBrowse
                                                                                                                                                                              • 67.195.204.73
                                                                                                                                                                              38fd2cb3083f33b50606b7821453769103bde24335734.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee XmrigBrowse
                                                                                                                                                                              • 67.195.228.94
                                                                                                                                                                              jotunheim.namefile.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              NkQsS8A3sk.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 80.66.75.77

                                                                                                                                                                              ASNs

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              IQHOSTRUfile.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              NkQsS8A3sk.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 193.106.174.220
                                                                                                                                                                              MICROSOFT-CORP-MSN-AS-BLOCKUSSecuriteInfo.com.Trojan.Siggen21.37922.29840.21903.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                                                              • 20.135.6.2
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 104.47.54.36
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 40.93.212.0
                                                                                                                                                                              Important cyeager@live-quinn.com Notification 10 6 2023 9 28 38 PM.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 20.246.247.192
                                                                                                                                                                              Important cyeager@live-quinn.com Notification 10 6 2023 9 28 38 PM.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 138.91.254.96
                                                                                                                                                                              New VM notifcation for lnorton@carollo.com (1).emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 52.109.8.89
                                                                                                                                                                              https://decatoria.com/eutt/?48528721Get hashmaliciousDarkGate, MailPassViewBrowse
                                                                                                                                                                              • 20.189.173.22
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 104.47.53.36
                                                                                                                                                                              http://smtplink.usssa.com/ls/click?upn=WSslNwXrfTzmOiygdbhyJ6-2FBkqSXpJKBo0qDJw7VpA0ad0aSHI26IfGEk6sZrui2d7xEV5p2HM-2FZHSkpQW3xrKZ2xzIHuxwBZnLTUHDoQao-3DOa19_4QyxBKDn7-2F0P3JvMNI1lbtONQP6csqkVplPiJT7H0rK0aBI5myixuE8nacygRshTZpU4i4qksvs3n-2BEcDBmM2yFUJR82k1Ru-2FEPJKOAg7OOszgeW93ALeDKuBxAGiPIvfw8D7EcQjomFj0t57CLf96XvI108CeM67vG57aoBJEqd8x2-2Bp5TBj3q5BqNV7eOGH8ZBHg-2Fyou5DZMpzZIY89fqFOTmD-2FY6nJaVJnmEXEQs-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 13.107.213.69
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 104.47.54.36
                                                                                                                                                                              50000PCSPIC12F1501-ESN.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 13.107.246.69
                                                                                                                                                                              https://p.feedblitz.com/t3/882921/109614235/13473938/https://viewfromthewing.com/airbnb-guest-stayed-500-nights-and-demanded-100000-to-leave-because-california/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 40.76.134.238
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 104.47.53.36
                                                                                                                                                                              ATT80942.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 13.107.213.71
                                                                                                                                                                              https://ariseaustinmedicalcenter-my.sharepoint.com/:b:/g/personal/bluetters_arisemedicalcenter_com/EReXmLwb075FnWYdal5H5qkBMJXjMe9RvK0odzhjwhjxHQ?e=4%3awrVXUi&fromShare=true&at=9Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 13.107.136.10
                                                                                                                                                                              payment_62_mt103_03.10.2023_PDF.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                                                              • 20.119.0.38
                                                                                                                                                                              https://bitbucket.org/flctloading/flctplus/downloads/_00-59-voicemail.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 13.107.213.69
                                                                                                                                                                              Hv-X-0008938_LOI_po.exeGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                                                                                                              • 13.107.213.69
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 104.47.54.36
                                                                                                                                                                              EPtVmZ90nq.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                              • 20.176.186.158
                                                                                                                                                                              MICROSOFT-CORP-MSN-AS-BLOCKUSSecuriteInfo.com.Trojan.Siggen21.37922.29840.21903.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                                                              • 20.135.6.2
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 104.47.54.36
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 40.93.212.0
                                                                                                                                                                              Important cyeager@live-quinn.com Notification 10 6 2023 9 28 38 PM.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 20.246.247.192
                                                                                                                                                                              Important cyeager@live-quinn.com Notification 10 6 2023 9 28 38 PM.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 138.91.254.96
                                                                                                                                                                              New VM notifcation for lnorton@carollo.com (1).emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 52.109.8.89
                                                                                                                                                                              https://decatoria.com/eutt/?48528721Get hashmaliciousDarkGate, MailPassViewBrowse
                                                                                                                                                                              • 20.189.173.22
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 104.47.53.36
                                                                                                                                                                              http://smtplink.usssa.com/ls/click?upn=WSslNwXrfTzmOiygdbhyJ6-2FBkqSXpJKBo0qDJw7VpA0ad0aSHI26IfGEk6sZrui2d7xEV5p2HM-2FZHSkpQW3xrKZ2xzIHuxwBZnLTUHDoQao-3DOa19_4QyxBKDn7-2F0P3JvMNI1lbtONQP6csqkVplPiJT7H0rK0aBI5myixuE8nacygRshTZpU4i4qksvs3n-2BEcDBmM2yFUJR82k1Ru-2FEPJKOAg7OOszgeW93ALeDKuBxAGiPIvfw8D7EcQjomFj0t57CLf96XvI108CeM67vG57aoBJEqd8x2-2Bp5TBj3q5BqNV7eOGH8ZBHg-2Fyou5DZMpzZIY89fqFOTmD-2FY6nJaVJnmEXEQs-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 13.107.213.69
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 104.47.54.36
                                                                                                                                                                              50000PCSPIC12F1501-ESN.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 13.107.246.69
                                                                                                                                                                              https://p.feedblitz.com/t3/882921/109614235/13473938/https://viewfromthewing.com/airbnb-guest-stayed-500-nights-and-demanded-100000-to-leave-because-california/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 40.76.134.238
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 104.47.53.36
                                                                                                                                                                              ATT80942.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 13.107.213.71
                                                                                                                                                                              https://ariseaustinmedicalcenter-my.sharepoint.com/:b:/g/personal/bluetters_arisemedicalcenter_com/EReXmLwb075FnWYdal5H5qkBMJXjMe9RvK0odzhjwhjxHQ?e=4%3awrVXUi&fromShare=true&at=9Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 13.107.136.10
                                                                                                                                                                              payment_62_mt103_03.10.2023_PDF.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                                                              • 20.119.0.38
                                                                                                                                                                              https://bitbucket.org/flctloading/flctplus/downloads/_00-59-voicemail.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 13.107.213.69
                                                                                                                                                                              Hv-X-0008938_LOI_po.exeGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                                                                                                              • 13.107.213.69
                                                                                                                                                                              file.exeGet hashmaliciousTofseeBrowse
                                                                                                                                                                              • 104.47.54.36
                                                                                                                                                                              EPtVmZ90nq.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                              • 20.176.186.158

                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                              No context

                                                                                                                                                                              Dropped Files

                                                                                                                                                                              No context

                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                              C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):999
                                                                                                                                                                              Entropy (8bit):4.966151115193747
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24:Jd4T7gw4TchTGBLnpHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGdp8HGuDyeHRuDye6MGFiP6euy
                                                                                                                                                                              MD5:930C5CE56CF8362E865E239EE3C1C67F
                                                                                                                                                                              SHA1:80E710A28E3E5D5A2C752F9565C4459405104CE5
                                                                                                                                                                              SHA-256:8B23DE7203E719FD08DB0B06C4A409834D6BD78467DAABDA430E6D606EB7D9DF
                                                                                                                                                                              SHA-512:1C992F403F6186A247E38FCFE3319D086859595C5C815907178596ADB9F5707A1967447EB4A896AF1A3531B66A237AB1B730F0AC1754996327152A03E7E7C7DB
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.3393</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>3393</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\wdkncqjt.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):13209600
                                                                                                                                                                              Entropy (8bit):2.868643584614283
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:6144:xfua5zK5RPslwCxS0A5TsIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIr:xf9k5Fzsc
                                                                                                                                                                              MD5:B11DD4A2DA4ABF719066A2DB8F95983F
                                                                                                                                                                              SHA1:618AB3A3FB31B4B557485D432B6B1B08416BA96F
                                                                                                                                                                              SHA-256:E812FBBDF9C76527B4FCDFA37DB853F7341857228804913FFBE6631F54F4089D
                                                                                                                                                                              SHA-512:2F5565247A63B804CDBD3E292241AFB2B05C6C70AA76FD7ED1055881751B3D2CD1945DE62AC58EB9E0A21259DB82BD48BE342B210EC4DDF2032E39DFFA19E2CC
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.%.z.K.z.K.z.K.d...f.K.d.....K.d...J.K.].0.s.K.z.J...K.d...{.K.d...{.K.d...{.K.Richz.K.................PE..L...@..b....................."......kZ............@..................................L.........................................d.......h........................... ................................H..@............................................text....~.......................... ..`.data...pb..........................@....rsrc...h...........................@..@.reloc..6).......Z...6..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe
                                                                                                                                                                              File Type:data
                                                                                                                                                                              Category:modified
                                                                                                                                                                              Size (bytes):2546
                                                                                                                                                                              Entropy (8bit):3.2785459853693073
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24:Oaq/Fa4F3r/ItW+kWReHrgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIm:Oaqdz7/Iw+AHEHdKoqKFxcxkFNIW
                                                                                                                                                                              MD5:390C586AF2CFA46D08D457D17A484E54
                                                                                                                                                                              SHA1:8F1294DE33A0011748615D3B152148D57F3F218E
                                                                                                                                                                              SHA-256:175776A9EB3D5DCB3531F3E4CCDFAA3E7B9278BCBC13A39115FBB4AA4CEFC42B
                                                                                                                                                                              SHA-512:F165C207799B312E6F51794C8EF07186E5E0BC256294F0ADEC2213BE5F59A18ADC4E843776BAC45DAD6CA1910A764B882BDD12C06F1FA877B464FAD1F1DE9661
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.P.l.a.t.f.o.r.m.\.4...1.8...2.3.0.9.0...2.0.0.8.-.0.\.M.p.C.m.d.R.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. M.o.n. .. O.c.t. .. 0.9. .. 2.0.2.3. .2.1.:.0.2.:.5.6.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.(.0.x.5.).:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.

                                                                                                                                                                              C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe (copy)

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):13209600
                                                                                                                                                                              Entropy (8bit):2.868643584614283
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:6144:xfua5zK5RPslwCxS0A5TsIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIr:xf9k5Fzsc
                                                                                                                                                                              MD5:B11DD4A2DA4ABF719066A2DB8F95983F
                                                                                                                                                                              SHA1:618AB3A3FB31B4B557485D432B6B1B08416BA96F
                                                                                                                                                                              SHA-256:E812FBBDF9C76527B4FCDFA37DB853F7341857228804913FFBE6631F54F4089D
                                                                                                                                                                              SHA-512:2F5565247A63B804CDBD3E292241AFB2B05C6C70AA76FD7ED1055881751B3D2CD1945DE62AC58EB9E0A21259DB82BD48BE342B210EC4DDF2032E39DFFA19E2CC
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.%.z.K.z.K.z.K.d...f.K.d.....K.d...J.K.].0.s.K.z.J...K.d...{.K.d...{.K.d...{.K.Richz.K.................PE..L...@..b....................."......kZ............@..................................L.........................................d.......h........................... ................................H..@............................................text....~.......................... ..`.data...pb..........................@....rsrc...h...........................@..@.reloc..6).......Z...6..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              \Device\ConDrv

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):3773
                                                                                                                                                                              Entropy (8bit):4.7109073551842435
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                                                                                              MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                                                                                              SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                                                                                              SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                                                                                              SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                                                                                                                              Static File Info

                                                                                                                                                                              General

                                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Entropy (8bit):6.951067853005325
                                                                                                                                                                              TrID:
                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                              File name:file.exe
                                                                                                                                                                              File size:221'184 bytes
                                                                                                                                                                              MD5:21c68b05ac982cff12afcb9af3a5657d
                                                                                                                                                                              SHA1:3651d8e4e0fdc66c1f888e34337ae2c13cb9b904
                                                                                                                                                                              SHA256:19a4f6df26db3df254ccf6270b2abe2ef6bcf86264cd17acaa5a46995672bbe4
                                                                                                                                                                              SHA512:734382f3432b09248f02799b1ada19787fd29402164a551494c7197f3b45a2527edf1e5b44a907f7cda70b04351acbc547c309f31f8c4347cc16a059a24a8131
                                                                                                                                                                              SSDEEP:3072:jHXfua5zpSxP5RcWrYlwRabrTRqQxSCcSd5PYe5OT99c:rfua5zK5RPslwCxS0A5Ts
                                                                                                                                                                              TLSH:A424BF217442D4B2C41741748824CAF4B97A7C729B994A8737A83FBF7E3139F676A306
                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.%.z.K.z.K.z.K.d...f.K.d.....K.d...J.K.].0.s.K.z.J...K.d...{.K.d...{.K.d...{.K.Richz.K.................PE..L...@..b...........

                                                                                                                                                                              File Icon

                                                                                                                                                                              Icon Hash:4149495515594519

                                                                                                                                                                              Static PE Info

                                                                                                                                                                              General

                                                                                                                                                                              Entrypoint:0x405a6b
                                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                                              Digitally signed:false
                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                              Time Stamp:0x62AAFB40 [Thu Jun 16 09:43:28 2022 UTC]
                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                              OS Version Major:5
                                                                                                                                                                              OS Version Minor:0
                                                                                                                                                                              File Version Major:5
                                                                                                                                                                              File Version Minor:0
                                                                                                                                                                              Subsystem Version Major:5
                                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                                              Import Hash:3237b581b15be84c5fe874ddf55fe383

                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                              Instruction
                                                                                                                                                                              call 00007F30AD32064Eh
                                                                                                                                                                              jmp 00007F30AD31C22Dh
                                                                                                                                                                              push 00000008h
                                                                                                                                                                              push 00428008h
                                                                                                                                                                              call 00007F30AD31D4E0h
                                                                                                                                                                              mov ecx, dword ptr [ebp+08h]
                                                                                                                                                                              test ecx, ecx
                                                                                                                                                                              je 00007F30AD31C3DCh
                                                                                                                                                                              cmp dword ptr [ecx], E06D7363h
                                                                                                                                                                              jne 00007F30AD31C3D4h
                                                                                                                                                                              mov eax, dword ptr [ecx+1Ch]
                                                                                                                                                                              test eax, eax
                                                                                                                                                                              je 00007F30AD31C3CDh
                                                                                                                                                                              mov eax, dword ptr [eax+04h]
                                                                                                                                                                              test eax, eax
                                                                                                                                                                              je 00007F30AD31C3C6h
                                                                                                                                                                              and dword ptr [ebp-04h], 00000000h
                                                                                                                                                                              push eax
                                                                                                                                                                              push dword ptr [ecx+18h]
                                                                                                                                                                              call 00007F30AD3206F6h
                                                                                                                                                                              mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                              call 00007F30AD31D4EFh
                                                                                                                                                                              ret
                                                                                                                                                                              xor eax, eax
                                                                                                                                                                              cmp byte ptr [ebp+0Ch], al
                                                                                                                                                                              setne al
                                                                                                                                                                              ret
                                                                                                                                                                              mov esp, dword ptr [ebp-18h]
                                                                                                                                                                              call 00007F30AD31C156h
                                                                                                                                                                              int3
                                                                                                                                                                              call 00007F30AD31E46Fh
                                                                                                                                                                              xor ecx, ecx
                                                                                                                                                                              cmp dword ptr [eax+00000090h], ecx
                                                                                                                                                                              setne cl
                                                                                                                                                                              mov al, cl
                                                                                                                                                                              ret
                                                                                                                                                                              mov edi, edi
                                                                                                                                                                              push ebp
                                                                                                                                                                              mov ebp, esp
                                                                                                                                                                              push ecx
                                                                                                                                                                              push esi
                                                                                                                                                                              mov esi, dword ptr [ebp+0Ch]
                                                                                                                                                                              push esi
                                                                                                                                                                              call 00007F30AD31D27Bh
                                                                                                                                                                              mov dword ptr [ebp+0Ch], eax
                                                                                                                                                                              mov eax, dword ptr [esi+0Ch]
                                                                                                                                                                              pop ecx
                                                                                                                                                                              test al, 82h
                                                                                                                                                                              jne 00007F30AD31C3C9h
                                                                                                                                                                              call 00007F30AD31C698h
                                                                                                                                                                              mov dword ptr [eax], 00000009h
                                                                                                                                                                              or dword ptr [esi+0Ch], 20h
                                                                                                                                                                              or eax, FFFFFFFFh
                                                                                                                                                                              jmp 00007F30AD31C4E4h
                                                                                                                                                                              test al, 40h
                                                                                                                                                                              je 00007F30AD31C3BFh
                                                                                                                                                                              call 00007F30AD31C67Dh
                                                                                                                                                                              mov dword ptr [eax], 00000022h
                                                                                                                                                                              jmp 00007F30AD31C395h
                                                                                                                                                                              push ebx
                                                                                                                                                                              xor ebx, ebx
                                                                                                                                                                              test al, 01h
                                                                                                                                                                              je 00007F30AD31C3C8h
                                                                                                                                                                              mov dword ptr [esi+04h], ebx
                                                                                                                                                                              test al, 10h
                                                                                                                                                                              je 00007F30AD31C43Dh

                                                                                                                                                                              Rich Headers

                                                                                                                                                                              Programming Language:
                                                                                                                                                                              • [ASM] VS2008 build 21022
                                                                                                                                                                              • [ C ] VS2008 build 21022
                                                                                                                                                                              • [C++] VS2008 build 21022
                                                                                                                                                                              • [IMP] VS2005 build 50727
                                                                                                                                                                              • [RES] VS2008 build 21022
                                                                                                                                                                              • [LNK] VS2008 build 21022

                                                                                                                                                                              Data Directories

                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x283e40x64.text
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a00000x9268.rsrc
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1aa0000xc84.reloc
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x12200x1c.text
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x48000x40.text
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d8.text
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                              Sections

                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                              .text0x10000x27ec20x28000False0.793011474609375data7.56497347195729IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                              .data0x290000x1762700x1e00False0.240234375data2.5028686123566812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                              .rsrc0x1a00000x92680x9400False0.34245671452702703data4.357529473181734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                              .reloc0x1aa0000x29360x2a00False0.25790550595238093data2.769105373898482IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                              Resources

                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                              RT_CURSOR0x1a56280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.27238805970149255
                                                                                                                                                                              RT_CURSOR0x1a64d00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.375
                                                                                                                                                                              RT_CURSOR0x1a6d780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.5057803468208093
                                                                                                                                                                              RT_CURSOR0x1a73100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.30943496801705755
                                                                                                                                                                              RT_CURSOR0x1a81b80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.427797833935018
                                                                                                                                                                              RT_CURSOR0x1a8a600x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.5469653179190751
                                                                                                                                                                              RT_ICON0x1a03a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.35927505330490406
                                                                                                                                                                              RT_ICON0x1a12480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.4697653429602888
                                                                                                                                                                              RT_ICON0x1a1af00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.46431535269709545
                                                                                                                                                                              RT_ICON0x1a40980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.47209193245778613
                                                                                                                                                                              RT_ICON0x1a51400x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.49379432624113473
                                                                                                                                                                              RT_ACCELERATOR0x1a55f80x30dataEnglishUnited States0.9375
                                                                                                                                                                              RT_GROUP_CURSOR0x1a72e00x30dataEnglishUnited States0.9166666666666666
                                                                                                                                                                              RT_GROUP_CURSOR0x1a8fc80x30dataEnglishUnited States0.9375
                                                                                                                                                                              RT_GROUP_ICON0x1a55a80x4cdataEnglishUnited States0.75
                                                                                                                                                                              RT_VERSION0x1a8ff80x270dataEnglishUnited States0.5208333333333334

                                                                                                                                                                              Imports

                                                                                                                                                                              DLLImport
                                                                                                                                                                              KERNEL32.dllInterlockedCompareExchange, WriteConsoleInputA, AddConsoleAliasW, SetVolumeMountPointW, FreeEnvironmentStringsA, _lclose, GetProcessPriorityBoost, GetTickCount, GetNumberFormatA, GetWindowsDirectoryA, GetCompressedFileSizeW, GlobalAlloc, LoadLibraryW, AssignProcessToJobObject, EnumSystemCodePagesA, FindNextVolumeW, GetFileAttributesW, CreateActCtxA, GetLastError, GetProcAddress, VirtualAlloc, PeekConsoleInputW, RemoveDirectoryA, GetSystemWindowsDirectoryW, LoadLibraryA, CreateHardLinkW, BeginUpdateResourceA, GetCommMask, AddAtomA, FoldStringA, GlobalFindAtomW, GetOEMCP, OpenFileMappingW, FindNextFileW, EndUpdateResourceA, GetCurrentProcessId, ReadConsoleOutputCharacterW, LocalFree, ReadFile, GetProcessHeap, SetEndOfFile, LoadResource, PeekNamedPipe, SetComputerNameA, FillConsoleOutputCharacterA, MultiByteToWideChar, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, WideCharToMultiByte, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, IsValidCodePage, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, Sleep, HeapSize, ExitProcess, RtlUnwind, RaiseException, WriteFile, GetModuleFileNameA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, HeapReAlloc, InitializeCriticalSectionAndSpinCount, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, CloseHandle, CreateFileA, GetModuleHandleA, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, FlushFileBuffers
                                                                                                                                                                              USER32.dllCharToOemBuffA, ChangeDisplaySettingsW, PostMessageW, LoadMenuA, GetWindowTextLengthW
                                                                                                                                                                              GDI32.dllGetCharacterPlacementA, GetPolyFillMode
                                                                                                                                                                              ADVAPI32.dllBackupEventLogW

                                                                                                                                                                              Possible Origin

                                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                              EnglishUnited States

                                                                                                                                                                              Network Behavior

                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                              TCP Packets

                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                              Oct 9, 2023 21:02:28.165638924 CEST4971425192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:02:28.394243002 CEST254971440.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:02:28.394440889 CEST4971425192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:02:28.394665003 CEST4971425192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:02:28.622395039 CEST254971440.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:02:28.624763012 CEST254971440.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:02:28.625319958 CEST254971440.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:02:28.625602961 CEST4971425192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:02:28.625603914 CEST4971425192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:02:31.612354040 CEST49715443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:02:31.612406969 CEST44349715193.106.174.220192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:02:31.612474918 CEST49715443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:03:11.625109911 CEST49715443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:03:11.625381947 CEST44349715193.106.174.220192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:11.626451969 CEST49715443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:03:11.735172033 CEST49717443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:03:11.735203028 CEST44349717193.106.174.220192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:11.735373974 CEST49717443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:03:37.523569107 CEST4971925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:37.747534037 CEST254971940.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:37.747839928 CEST4971925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:37.747939110 CEST4971925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:37.971501112 CEST254971940.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:37.973424911 CEST254971940.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:37.973515034 CEST4971925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:37.973988056 CEST254971940.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:37.974050999 CEST4971925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:38.858182907 CEST4972125192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:39.082415104 CEST254972140.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:39.082531929 CEST4972125192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:39.082881927 CEST4972125192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:39.306273937 CEST254972140.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:39.309248924 CEST254972140.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:39.309309959 CEST4972125192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:39.309974909 CEST254972140.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:39.310022116 CEST4972125192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:40.402002096 CEST4972325192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:40.630193949 CEST254972340.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:40.630368948 CEST4972325192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:40.630673885 CEST4972325192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:40.858059883 CEST254972340.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:40.860481977 CEST254972340.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:40.860682011 CEST4972325192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:40.860944033 CEST254972340.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:40.861016989 CEST4972325192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:42.967510939 CEST4972525192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:43.191179991 CEST254972540.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:43.191394091 CEST4972525192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:43.191526890 CEST4972525192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:43.415097952 CEST254972540.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:43.417088032 CEST254972540.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:43.417256117 CEST4972525192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:43.417668104 CEST254972540.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:43.417727947 CEST4972525192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:44.263802052 CEST4972725192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:44.487441063 CEST254972740.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:44.487620115 CEST4972725192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:44.488079071 CEST4972725192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:44.711230040 CEST254972740.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:44.713330030 CEST254972740.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:44.713396072 CEST4972725192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:44.713905096 CEST254972740.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:44.713953018 CEST4972725192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:45.697401047 CEST4972925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:45.921560049 CEST254972940.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:45.921888113 CEST4972925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:45.922240019 CEST4972925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:46.146013021 CEST254972940.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:46.148380995 CEST254972940.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:46.148452997 CEST4972925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:46.149599075 CEST254972940.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:46.149653912 CEST4972925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:03:47.356520891 CEST4973125192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:47.564575911 CEST254973140.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:47.564946890 CEST4973125192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:47.565438986 CEST4973125192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:47.772838116 CEST254973140.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:47.799685955 CEST254973140.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:47.799911976 CEST4973125192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:47.800296068 CEST254973140.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:47.800357103 CEST4973125192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:48.823848963 CEST4973325192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:49.032001972 CEST254973340.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:49.032269001 CEST4973325192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:49.033145905 CEST4973325192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:49.240401983 CEST254973340.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:49.242321014 CEST254973340.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:49.242547989 CEST4973325192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:49.242916107 CEST254973340.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:49.243108988 CEST4973325192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:50.321916103 CEST4973525192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:50.529984951 CEST254973540.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:50.530234098 CEST4973525192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:50.531089067 CEST4973525192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:50.738662004 CEST254973540.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:50.740894079 CEST254973540.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:50.741086006 CEST4973525192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:50.741410017 CEST254973540.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:50.741481066 CEST4973525192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:51.749885082 CEST49717443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:03:51.749943972 CEST44349717193.106.174.220192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:51.750037909 CEST49717443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:03:51.828109980 CEST4973725192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:51.860044003 CEST49738443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:03:51.860116005 CEST44349738193.106.174.220192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:51.860214949 CEST49738443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:03:52.035895109 CEST254973740.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:52.036099911 CEST4973725192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:52.037112951 CEST4973725192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:52.245007992 CEST254973740.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:52.246368885 CEST254973740.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:52.246495008 CEST4973725192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:52.246772051 CEST254973740.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:52.246865988 CEST4973725192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:53.183600903 CEST4974025192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:53.391233921 CEST254974040.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:53.391383886 CEST4974025192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:53.392318010 CEST4974025192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:53.599447966 CEST254974040.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:53.601526022 CEST254974040.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:53.601608038 CEST4974025192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:53.602185965 CEST254974040.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:53.602354050 CEST4974025192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:54.660190105 CEST4974225192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:54.869772911 CEST254974240.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:54.870009899 CEST4974225192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:54.870973110 CEST4974225192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:55.078191996 CEST254974240.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:55.079722881 CEST254974240.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:55.079803944 CEST4974225192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:55.080598116 CEST254974240.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:55.080660105 CEST4974225192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:56.049245119 CEST4974425192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:56.257451057 CEST254974440.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:56.257608891 CEST4974425192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:56.258445024 CEST4974425192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:56.466490984 CEST254974440.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:56.468019962 CEST254974440.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:56.468110085 CEST4974425192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:56.468632936 CEST254974440.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:56.468694925 CEST4974425192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:03:57.940056086 CEST4974625192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:03:58.147835970 CEST2549746104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:58.148020983 CEST4974625192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:03:58.148968935 CEST4974625192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:03:58.356200933 CEST2549746104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:58.710621119 CEST2549746104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:58.710731983 CEST4974625192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:03:58.711529016 CEST2549746104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:58.711590052 CEST4974625192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:03:59.313977957 CEST4974825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:03:59.521528006 CEST2549748104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:59.521724939 CEST4974825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:03:59.521956921 CEST4974825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:03:59.729371071 CEST2549748104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:59.732928038 CEST2549748104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:59.733019114 CEST4974825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:03:59.734107018 CEST2549748104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:59.734162092 CEST4974825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:00.545437098 CEST4975025192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:00.753427982 CEST2549750104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:00.753588915 CEST4975025192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:00.753899097 CEST4975025192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:00.961282969 CEST2549750104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:01.313339949 CEST2549750104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:01.313422918 CEST4975025192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:01.314342976 CEST2549750104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:01.314599991 CEST4975025192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:01.837402105 CEST4975225192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:02.045052052 CEST2549752104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:02.045273066 CEST4975225192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:02.046075106 CEST4975225192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:02.253452063 CEST2549752104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:02.255928040 CEST2549752104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:02.255976915 CEST4975225192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:02.257328987 CEST2549752104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:02.257375956 CEST4975225192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:03.078074932 CEST4975425192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:03.286081076 CEST2549754104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:03.286286116 CEST4975425192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:03.287154913 CEST4975425192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:03.495909929 CEST2549754104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:03.849586964 CEST2549754104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:03.849698067 CEST4975425192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:03.851011038 CEST2549754104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:03.851084948 CEST4975425192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:04.522479057 CEST4975625192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:04.730040073 CEST2549756104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:04.730289936 CEST4975625192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:04.730381012 CEST4975625192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:04.937789917 CEST2549756104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:04.940988064 CEST2549756104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:04.941234112 CEST4975625192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:04.942306995 CEST2549756104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:04.942374945 CEST4975625192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:05.785501003 CEST4975825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:05.993303061 CEST2549758104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:05.993822098 CEST4975825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:05.994527102 CEST4975825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:06.202008963 CEST2549758104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:06.204778910 CEST2549758104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:06.204977036 CEST4975825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:06.206151962 CEST2549758104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:06.206316948 CEST4975825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:06.985426903 CEST4976025192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:07.193551064 CEST2549760104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:07.193634987 CEST4976025192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:07.193852901 CEST4976025192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:07.401415110 CEST2549760104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:07.404645920 CEST2549760104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:07.404711008 CEST4976025192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:07.405818939 CEST2549760104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:07.405869961 CEST4976025192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:04:08.450629950 CEST4976225192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:08.674782991 CEST254976240.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:08.674905062 CEST4976225192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:08.675267935 CEST4976225192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:08.898835897 CEST254976240.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:08.900469065 CEST254976240.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:08.900543928 CEST4976225192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:08.901074886 CEST254976240.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:08.901124954 CEST4976225192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:09.849863052 CEST4976425192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:10.077795982 CEST254976440.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:10.078011990 CEST4976425192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:10.078298092 CEST4976425192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:10.306461096 CEST254976440.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:10.308058023 CEST254976440.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:10.308128119 CEST4976425192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:10.308660030 CEST254976440.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:10.308713913 CEST4976425192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:11.247617960 CEST4976625192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:11.471761942 CEST254976640.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:11.471846104 CEST4976625192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:11.472084045 CEST4976625192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:11.695768118 CEST254976640.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:11.698175907 CEST254976640.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:11.698301077 CEST4976625192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:11.699279070 CEST254976640.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:11.699367046 CEST4976625192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:12.650161982 CEST4976825192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:12.873867989 CEST254976840.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:12.874027014 CEST4976825192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:12.874762058 CEST4976825192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:13.098664045 CEST254976840.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:13.099709034 CEST254976840.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:13.099809885 CEST4976825192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:13.100425959 CEST254976840.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:13.100486994 CEST4976825192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:14.008416891 CEST4977025192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:14.236382008 CEST254977040.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:14.236711979 CEST4977025192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:14.236979961 CEST4977025192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:14.466748953 CEST254977040.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:14.467812061 CEST254977040.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:14.468035936 CEST4977025192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:14.468359947 CEST254977040.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:14.468420029 CEST4977025192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:15.488415956 CEST4977225192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:15.716542959 CEST254977240.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:15.716953993 CEST4977225192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:15.717775106 CEST4977225192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:15.945280075 CEST254977240.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:15.946964979 CEST254977240.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:15.947093964 CEST4977225192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:15.947843075 CEST254977240.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:15.947926044 CEST4977225192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:16.975596905 CEST4977425192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:17.203706026 CEST254977440.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:17.203880072 CEST4977425192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:17.204653025 CEST4977425192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:17.432710886 CEST254977440.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:17.435250044 CEST254977440.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:17.435452938 CEST4977425192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:17.436290979 CEST254977440.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:17.436394930 CEST4977425192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:04:18.563113928 CEST4977625192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:18.771605015 CEST254977640.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:18.771747112 CEST4977625192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:18.772000074 CEST4977625192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:18.979614973 CEST254977640.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:18.981692076 CEST254977640.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:18.981796980 CEST4977625192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:18.982372046 CEST254977640.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:18.982448101 CEST4977625192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:19.786813974 CEST4977825192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:19.994802952 CEST254977840.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:19.994899988 CEST4977825192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:19.995111942 CEST4977825192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:20.203166962 CEST254977840.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:20.204605103 CEST254977840.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:20.204678059 CEST4977825192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:20.205260038 CEST254977840.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:20.205401897 CEST4977825192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:21.059871912 CEST4978025192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:21.268219948 CEST254978040.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:21.268352032 CEST4978025192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:21.268665075 CEST4978025192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:21.476824999 CEST254978040.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:21.478930950 CEST254978040.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:21.479006052 CEST4978025192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:21.479504108 CEST254978040.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:21.479554892 CEST4978025192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:22.275074005 CEST4978225192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:22.482856035 CEST254978240.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:22.483099937 CEST4978225192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:22.489255905 CEST4978225192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:22.693321943 CEST254978240.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:22.693546057 CEST4978225192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:22.696849108 CEST254978240.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:22.696909904 CEST4978225192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:22.697310925 CEST254978240.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:22.697350979 CEST4978225192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:23.463258028 CEST4978425192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:23.673840046 CEST254978440.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:23.674114943 CEST4978425192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:23.674866915 CEST4978425192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:23.882630110 CEST254978440.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:23.884661913 CEST254978440.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:23.884723902 CEST4978425192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:23.885137081 CEST254978440.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:23.885185003 CEST4978425192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:24.875777960 CEST4978625192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:25.084500074 CEST254978640.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:25.084703922 CEST4978625192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:25.085500956 CEST4978625192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:25.292848110 CEST254978640.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:25.295798063 CEST254978640.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:25.295880079 CEST4978625192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:25.295892000 CEST254978640.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:25.295962095 CEST4978625192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:26.272777081 CEST4978825192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:26.480968952 CEST254978840.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:26.481280088 CEST4978825192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:26.481369972 CEST4978825192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:26.689290047 CEST254978840.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:26.691509008 CEST254978840.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:26.691571951 CEST4978825192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:26.692019939 CEST254978840.93.212.0192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:26.692066908 CEST4978825192.168.2.340.93.212.0
                                                                                                                                                                              Oct 9, 2023 21:04:30.433305025 CEST4979025192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:30.657329082 CEST254979040.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:30.657659054 CEST4979025192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:30.658375025 CEST4979025192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:30.882040977 CEST254979040.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:30.883565903 CEST254979040.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:30.883739948 CEST4979025192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:30.884100914 CEST254979040.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:30.884182930 CEST4979025192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:31.679903030 CEST4979225192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:31.859193087 CEST49738443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:04:31.859325886 CEST44349738193.106.174.220192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:31.859586000 CEST49738443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:04:31.904306889 CEST254979240.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:31.904401064 CEST4979225192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:31.904943943 CEST4979225192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:31.969194889 CEST49793443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:04:31.969285965 CEST44349793193.106.174.220192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:31.969393969 CEST49793443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:04:32.130059958 CEST254979240.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:32.130721092 CEST254979240.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:32.130830050 CEST4979225192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:32.131499052 CEST254979240.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:32.131664991 CEST4979225192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:32.939619064 CEST4979525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:33.168325901 CEST254979540.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:33.168421030 CEST4979525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:33.168670893 CEST4979525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:33.396204948 CEST254979540.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:33.398545027 CEST254979540.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:33.398636103 CEST4979525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:33.399169922 CEST254979540.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:33.399230003 CEST4979525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:34.168802023 CEST4979725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:34.396637917 CEST254979740.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:34.396728992 CEST4979725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:34.396951914 CEST4979725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:34.624660015 CEST254979740.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:34.626475096 CEST254979740.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:34.626580954 CEST4979725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:34.627053022 CEST254979740.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:34.627140045 CEST4979725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:35.466730118 CEST4979925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:35.694641113 CEST254979940.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:35.694725990 CEST4979925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:35.695199966 CEST4979925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:35.922878981 CEST254979940.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:35.924674034 CEST254979940.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:35.924736023 CEST4979925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:35.925386906 CEST254979940.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:35.925436020 CEST4979925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:36.770287037 CEST4980125192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:36.998550892 CEST254980140.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:36.998812914 CEST4980125192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:36.999840975 CEST4980125192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:37.227411985 CEST254980140.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:37.228729010 CEST254980140.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:37.229027987 CEST4980125192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:37.229409933 CEST254980140.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:37.229471922 CEST4980125192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:38.032480955 CEST4980325192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:38.256530046 CEST254980340.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:38.256624937 CEST4980325192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:38.256855965 CEST4980325192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:38.480377913 CEST254980340.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:38.483428955 CEST254980340.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:38.483509064 CEST4980325192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:38.487401009 CEST254980340.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:38.487462044 CEST4980325192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:39.308057070 CEST4980525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:39.532669067 CEST254980540.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:39.532865047 CEST4980525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:39.533163071 CEST4980525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:39.757419109 CEST254980540.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:39.759342909 CEST254980540.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:39.759494066 CEST4980525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:39.759815931 CEST254980540.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:39.759907007 CEST4980525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:40.803009033 CEST4980725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:41.031126022 CEST254980740.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:41.031328917 CEST4980725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:41.032154083 CEST4980725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:41.259635925 CEST254980740.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:41.261710882 CEST254980740.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:41.261790037 CEST4980725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:41.262347937 CEST254980740.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:41.262501001 CEST4980725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:42.098459005 CEST4980925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:42.326813936 CEST254980940.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:42.327007055 CEST4980925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:42.327239037 CEST4980925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:42.554846048 CEST254980940.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:42.557807922 CEST254980940.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:42.557898045 CEST4980925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:42.558615923 CEST254980940.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:42.558788061 CEST4980925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:43.320637941 CEST4981125192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:43.548999071 CEST254981140.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:43.549107075 CEST4981125192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:43.549315929 CEST4981125192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:43.776928902 CEST254981140.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:43.779781103 CEST254981140.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:43.779875040 CEST4981125192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:43.780349016 CEST254981140.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:43.780414104 CEST4981125192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:44.523058891 CEST4981325192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:44.751136065 CEST254981340.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:44.751332045 CEST4981325192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:44.751851082 CEST4981325192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:44.979768038 CEST254981340.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:44.982021093 CEST254981340.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:44.982110023 CEST4981325192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:44.982610941 CEST254981340.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:44.982670069 CEST4981325192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:45.911843061 CEST4981525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:46.136178017 CEST254981540.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:46.136285067 CEST4981525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:46.136492014 CEST4981525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:46.361594915 CEST254981540.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:46.363997936 CEST254981540.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:46.364196062 CEST4981525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:46.364609003 CEST254981540.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:46.364775896 CEST4981525192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:48.490364075 CEST4981725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:48.718758106 CEST254981740.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:48.718923092 CEST4981725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:48.719845057 CEST4981725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:48.948437929 CEST254981740.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:48.948822975 CEST254981740.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:48.948887110 CEST4981725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:48.949362993 CEST254981740.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:48.949414968 CEST4981725192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:49.925803900 CEST4981925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:50.154172897 CEST254981940.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:50.154313087 CEST4981925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:50.155157089 CEST4981925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:50.382572889 CEST254981940.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:50.384640932 CEST254981940.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:50.384743929 CEST4981925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:50.385365963 CEST254981940.93.207.5192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:50.385422945 CEST4981925192.168.2.340.93.207.5
                                                                                                                                                                              Oct 9, 2023 21:04:51.510654926 CEST4982125192.168.2.352.101.40.29
                                                                                                                                                                              Oct 9, 2023 21:04:52.515161991 CEST4982125192.168.2.352.101.40.29
                                                                                                                                                                              Oct 9, 2023 21:04:54.530663967 CEST4982125192.168.2.352.101.40.29
                                                                                                                                                                              Oct 9, 2023 21:04:58.530685902 CEST4982125192.168.2.352.101.40.29
                                                                                                                                                                              Oct 9, 2023 21:05:06.530863047 CEST4982125192.168.2.352.101.40.29
                                                                                                                                                                              Oct 9, 2023 21:05:11.846960068 CEST4982425192.168.2.398.136.96.74
                                                                                                                                                                              Oct 9, 2023 21:05:11.984307051 CEST49793443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:05:11.984527111 CEST44349793193.106.174.220192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:11.984711885 CEST49793443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:05:12.063853979 CEST254982498.136.96.74192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:12.063966036 CEST4982425192.168.2.398.136.96.74
                                                                                                                                                                              Oct 9, 2023 21:05:12.064312935 CEST4982425192.168.2.398.136.96.74
                                                                                                                                                                              Oct 9, 2023 21:05:12.110371113 CEST49825443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:05:12.110471964 CEST44349825193.106.174.220192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:12.110543013 CEST49825443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:05:12.281253099 CEST254982498.136.96.74192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:12.417845011 CEST254982498.136.96.74192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:12.417897940 CEST254982498.136.96.74192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:12.418039083 CEST4982425192.168.2.398.136.96.74
                                                                                                                                                                              Oct 9, 2023 21:05:12.418039083 CEST4982425192.168.2.398.136.96.74
                                                                                                                                                                              Oct 9, 2023 21:05:13.318557978 CEST4982725192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:05:14.328012943 CEST4982725192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:05:14.556468964 CEST254982740.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:14.556602001 CEST4982725192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:05:14.556886911 CEST4982725192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:05:14.785638094 CEST254982740.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:15.593945980 CEST4982925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:05:16.419312954 CEST254982740.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:16.419528961 CEST4982725192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:05:16.419728994 CEST254982740.93.207.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:16.419792891 CEST4982725192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:05:16.593126059 CEST4982925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:05:18.594649076 CEST4982925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:05:22.608726978 CEST4982925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:05:30.608932972 CEST4982925192.168.2.340.93.207.1
                                                                                                                                                                              Oct 9, 2023 21:05:35.774090052 CEST4983525192.168.2.367.195.204.74
                                                                                                                                                                              Oct 9, 2023 21:05:36.020003080 CEST254983567.195.204.74192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:36.020226002 CEST4983525192.168.2.367.195.204.74
                                                                                                                                                                              Oct 9, 2023 21:05:36.020333052 CEST4983525192.168.2.367.195.204.74
                                                                                                                                                                              Oct 9, 2023 21:05:36.266609907 CEST254983567.195.204.74192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:36.330264091 CEST254983567.195.204.74192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:36.330282927 CEST254983567.195.204.74192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:36.330457926 CEST4983525192.168.2.367.195.204.74
                                                                                                                                                                              Oct 9, 2023 21:05:36.330558062 CEST4983525192.168.2.367.195.204.74
                                                                                                                                                                              Oct 9, 2023 21:05:37.203864098 CEST4983825192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:37.431849957 CEST2549838104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:37.432055950 CEST4983825192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:37.461106062 CEST4983825192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:37.663113117 CEST2549838104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:37.663182020 CEST4983825192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:37.689028025 CEST2549838104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:37.689106941 CEST4983825192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:37.689938068 CEST2549838104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:37.690021992 CEST4983825192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:39.903536081 CEST4984225192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:40.127516985 CEST2549842104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:40.127716064 CEST4984225192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:40.127943993 CEST4984225192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:40.351434946 CEST2549842104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:40.354428053 CEST2549842104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:40.354644060 CEST4984225192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:40.355633974 CEST2549842104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:40.355689049 CEST4984225192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:41.037071943 CEST4984425192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:41.260807991 CEST2549844104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:41.261023045 CEST4984425192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:41.261468887 CEST4984425192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:41.484884024 CEST2549844104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:41.488259077 CEST2549844104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:41.488454103 CEST4984425192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:41.489582062 CEST2549844104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:41.489639997 CEST4984425192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:42.305231094 CEST4984725192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:42.529664040 CEST2549847104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:42.529747963 CEST4984725192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:42.530077934 CEST4984725192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:42.753653049 CEST2549847104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:42.757977009 CEST2549847104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:42.758059978 CEST4984725192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:42.759552002 CEST2549847104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:42.759618998 CEST4984725192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:43.603405952 CEST4985025192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:43.831435919 CEST2549850104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:43.831537962 CEST4985025192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:43.831772089 CEST4985025192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:44.059098959 CEST2549850104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:44.062406063 CEST2549850104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:44.062585115 CEST4985025192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:44.063770056 CEST2549850104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:44.063821077 CEST4985025192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:44.847393036 CEST4985325192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:45.075284958 CEST2549853104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:45.075385094 CEST4985325192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:45.075618029 CEST4985325192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:45.304502010 CEST2549853104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:45.306204081 CEST2549853104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:45.306289911 CEST4985325192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:45.307538033 CEST2549853104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:45.307595015 CEST4985325192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:46.403316021 CEST4985625192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:46.631592035 CEST2549856104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:46.631753922 CEST4985625192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:46.631973028 CEST4985625192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:46.860336065 CEST2549856104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:47.223807096 CEST2549856104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:47.223892927 CEST4985625192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:47.224838972 CEST2549856104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:47.224895954 CEST4985625192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:47.650351048 CEST4985925192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:47.874728918 CEST2549859104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:47.874816895 CEST4985925192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:47.875173092 CEST4985925192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:48.098514080 CEST2549859104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:48.101303101 CEST2549859104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:48.101397991 CEST4985925192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:48.102695942 CEST2549859104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:48.102765083 CEST4985925192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:48.919071913 CEST4986225192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:49.146467924 CEST2549862104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:49.146568060 CEST4986225192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:49.146857977 CEST4986225192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:49.374346972 CEST2549862104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:49.377680063 CEST2549862104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:49.377743006 CEST4986225192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:49.379009008 CEST2549862104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:49.379053116 CEST4986225192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:50.148078918 CEST4986525192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:50.376245975 CEST2549865104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:50.376545906 CEST4986525192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:50.377291918 CEST4986525192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:50.605452061 CEST2549865104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:50.607858896 CEST2549865104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:50.608042955 CEST4986525192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:50.609086037 CEST2549865104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:50.609184980 CEST4986525192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:51.334201097 CEST4986825192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:51.557926893 CEST2549868104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:51.558130980 CEST4986825192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:51.558783054 CEST4986825192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:51.781972885 CEST2549868104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:51.784666061 CEST2549868104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:51.784826040 CEST4986825192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:51.785892963 CEST2549868104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:51.785958052 CEST4986825192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:52.108907938 CEST49825443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:05:52.109064102 CEST44349825193.106.174.220192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:52.109194040 CEST49825443192.168.2.3193.106.174.220
                                                                                                                                                                              Oct 9, 2023 21:05:52.524987936 CEST4987125192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:52.730998039 CEST49872443192.168.2.380.66.75.77
                                                                                                                                                                              Oct 9, 2023 21:05:52.731086969 CEST4434987280.66.75.77192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:52.731185913 CEST49872443192.168.2.380.66.75.77
                                                                                                                                                                              Oct 9, 2023 21:05:52.748789072 CEST2549871104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:52.748984098 CEST4987125192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:52.749401093 CEST4987125192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:52.973695993 CEST2549871104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:52.976387024 CEST2549871104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:52.976434946 CEST4987125192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:52.977953911 CEST2549871104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:52.977996111 CEST4987125192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:53.730804920 CEST4987525192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:53.959222078 CEST2549875104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:53.959286928 CEST4987525192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:53.959563971 CEST4987525192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:54.186989069 CEST2549875104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:54.550313950 CEST2549875104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:54.550417900 CEST4987525192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:54.551472902 CEST2549875104.47.53.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:54.551523924 CEST4987525192.168.2.3104.47.53.36
                                                                                                                                                                              Oct 9, 2023 21:05:57.300303936 CEST4987925192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:05:57.508162022 CEST2549879104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:57.508336067 CEST4987925192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:05:57.509145021 CEST4987925192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:05:57.716510057 CEST2549879104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:58.064825058 CEST2549879104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:58.064914942 CEST4987925192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:05:58.065921068 CEST2549879104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:58.065978050 CEST4987925192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:05:58.753174067 CEST4988225192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:05:58.961065054 CEST2549882104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:58.961165905 CEST4988225192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:05:58.961498022 CEST4988225192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:05:59.169298887 CEST2549882104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:59.173299074 CEST2549882104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:59.173389912 CEST4988225192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:05:59.174079895 CEST2549882104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:59.174134970 CEST4988225192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:00.119054079 CEST4988525192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:00.326945066 CEST2549885104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:00.327143908 CEST4988525192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:00.328166008 CEST4988525192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:00.535785913 CEST2549885104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:00.888798952 CEST2549885104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:00.888935089 CEST4988525192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:00.889831066 CEST2549885104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:00.889878988 CEST4988525192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:01.575120926 CEST4988825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:01.782689095 CEST2549888104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:01.786657095 CEST4988825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:01.787518978 CEST4988825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:01.994927883 CEST2549888104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:02.345829010 CEST2549888104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:02.345901966 CEST4988825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:02.346923113 CEST2549888104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:02.350163937 CEST4988825192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:02.944253922 CEST4989125192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:03.152035952 CEST2549891104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:03.152141094 CEST4989125192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:03.152467966 CEST4989125192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:03.360708952 CEST2549891104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:03.363599062 CEST2549891104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:03.363807917 CEST4989125192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:03.364969969 CEST2549891104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:03.365031004 CEST4989125192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:06.027297974 CEST4989425192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:06.235260010 CEST2549894104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:06.235344887 CEST4989425192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:06.235431910 CEST4989425192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:06.443794966 CEST2549894104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:06.446969986 CEST2549894104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:06.447029114 CEST4989425192.168.2.3104.47.54.36
                                                                                                                                                                              Oct 9, 2023 21:06:06.448280096 CEST2549894104.47.54.36192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:06:06.448323965 CEST4989425192.168.2.3104.47.54.36

                                                                                                                                                                              UDP Packets

                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                              Oct 9, 2023 21:02:27.915396929 CEST6420953192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:02:28.164201021 CEST53642091.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:02:30.360779047 CEST6056953192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:02:31.096591949 CEST53605691.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:37.274600029 CEST5705453192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:03:37.522793055 CEST53570541.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:47.107268095 CEST5205453192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:03:47.352947950 CEST53520541.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:03:57.691942930 CEST6103553192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:03:57.938350916 CEST53610351.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:08.138592005 CEST5704153192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:04:08.447371006 CEST53570411.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:18.314908981 CEST5546353192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:04:18.561786890 CEST53554631.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:30.184765100 CEST6295453192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:04:30.432059050 CEST53629541.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:40.554030895 CEST5863353192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:04:40.801038980 CEST53586331.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:04:51.257673979 CEST5239353192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:04:51.504048109 CEST53523931.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:11.515692949 CEST5678453192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:05:11.680250883 CEST53567841.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:11.681448936 CEST6491553192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:05:11.845762014 CEST53649151.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:13.070461988 CEST5149853192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:05:13.317194939 CEST53514981.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:35.609462023 CEST5527153192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:05:35.773005009 CEST53552711.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:36.956033945 CEST5068953192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:05:37.203006029 CEST53506891.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:46.155725956 CEST5014653192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:05:46.402228117 CEST53501461.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:52.218751907 CEST5408453192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:05:52.729968071 CEST53540841.1.1.1192.168.2.3
                                                                                                                                                                              Oct 9, 2023 21:05:57.050214052 CEST5291953192.168.2.31.1.1.1
                                                                                                                                                                              Oct 9, 2023 21:05:57.296340942 CEST53529191.1.1.1192.168.2.3

                                                                                                                                                                              DNS Queries

                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                              Oct 9, 2023 21:02:27.915396929 CEST192.168.2.31.1.1.10xddf4Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:02:30.360779047 CEST192.168.2.31.1.1.10xa7a5Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:37.274600029 CEST192.168.2.31.1.1.10xd29fStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:47.107268095 CEST192.168.2.31.1.1.10x4001Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:57.691942930 CEST192.168.2.31.1.1.10xf9e5Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:08.138592005 CEST192.168.2.31.1.1.10x520dStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:18.314908981 CEST192.168.2.31.1.1.10xd9a4Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:30.184765100 CEST192.168.2.31.1.1.10x1d9aStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:40.554030895 CEST192.168.2.31.1.1.10xb335Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:51.257673979 CEST192.168.2.31.1.1.10x876eStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:11.515692949 CEST192.168.2.31.1.1.10x9922Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:11.681448936 CEST192.168.2.31.1.1.10xb9c3Standard query (0)mta6.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:13.070461988 CEST192.168.2.31.1.1.10x1db2Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:35.609462023 CEST192.168.2.31.1.1.10x8291Standard query (0)mta6.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:36.956033945 CEST192.168.2.31.1.1.10x23e1Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:46.155725956 CEST192.168.2.31.1.1.10x462dStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:52.218751907 CEST192.168.2.31.1.1.10xd0dStandard query (0)jotunheim.nameA (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:57.050214052 CEST192.168.2.31.1.1.10x640fStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false

                                                                                                                                                                              DNS Answers

                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                              Oct 9, 2023 21:02:28.164201021 CEST1.1.1.1192.168.2.30xddf4No error (0)microsoft-com.mail.protection.outlook.com40.93.207.5A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:02:28.164201021 CEST1.1.1.1192.168.2.30xddf4No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:02:28.164201021 CEST1.1.1.1192.168.2.30xddf4No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:02:28.164201021 CEST1.1.1.1192.168.2.30xddf4No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:02:28.164201021 CEST1.1.1.1192.168.2.30xddf4No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:02:28.164201021 CEST1.1.1.1192.168.2.30xddf4No error (0)microsoft-com.mail.protection.outlook.com40.93.207.7A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:02:31.096591949 CEST1.1.1.1192.168.2.30xa7a5No error (0)vanaheim.cn193.106.174.220A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:37.522793055 CEST1.1.1.1192.168.2.30xd29fNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:37.522793055 CEST1.1.1.1192.168.2.30xd29fNo error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:37.522793055 CEST1.1.1.1192.168.2.30xd29fNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.7A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:37.522793055 CEST1.1.1.1192.168.2.30xd29fNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:37.522793055 CEST1.1.1.1192.168.2.30xd29fNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:37.522793055 CEST1.1.1.1192.168.2.30xd29fNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.5A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:47.352947950 CEST1.1.1.1192.168.2.30x4001No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:47.352947950 CEST1.1.1.1192.168.2.30x4001No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:47.352947950 CEST1.1.1.1192.168.2.30x4001No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:47.352947950 CEST1.1.1.1192.168.2.30x4001No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:47.352947950 CEST1.1.1.1192.168.2.30x4001No error (0)microsoft-com.mail.protection.outlook.com40.93.207.5A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:47.352947950 CEST1.1.1.1192.168.2.30x4001No error (0)microsoft-com.mail.protection.outlook.com40.93.207.7A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:57.938350916 CEST1.1.1.1192.168.2.30xf9e5No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:57.938350916 CEST1.1.1.1192.168.2.30xf9e5No error (0)microsoft-com.mail.protection.outlook.com40.93.207.7A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:57.938350916 CEST1.1.1.1192.168.2.30xf9e5No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:57.938350916 CEST1.1.1.1192.168.2.30xf9e5No error (0)microsoft-com.mail.protection.outlook.com40.93.207.5A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:57.938350916 CEST1.1.1.1192.168.2.30xf9e5No error (0)microsoft-com.mail.protection.outlook.com52.101.40.29A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:03:57.938350916 CEST1.1.1.1192.168.2.30xf9e5No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:08.447371006 CEST1.1.1.1192.168.2.30x520dNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:08.447371006 CEST1.1.1.1192.168.2.30x520dNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.5A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:08.447371006 CEST1.1.1.1192.168.2.30x520dNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:08.447371006 CEST1.1.1.1192.168.2.30x520dNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.29A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:08.447371006 CEST1.1.1.1192.168.2.30x520dNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:18.561786890 CEST1.1.1.1192.168.2.30xd9a4No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:18.561786890 CEST1.1.1.1192.168.2.30xd9a4No error (0)microsoft-com.mail.protection.outlook.com40.93.207.7A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:18.561786890 CEST1.1.1.1192.168.2.30xd9a4No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:18.561786890 CEST1.1.1.1192.168.2.30xd9a4No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:18.561786890 CEST1.1.1.1192.168.2.30xd9a4No error (0)microsoft-com.mail.protection.outlook.com40.93.207.5A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:18.561786890 CEST1.1.1.1192.168.2.30xd9a4No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:30.432059050 CEST1.1.1.1192.168.2.30x1d9aNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.5A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:30.432059050 CEST1.1.1.1192.168.2.30x1d9aNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:30.432059050 CEST1.1.1.1192.168.2.30x1d9aNo error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:30.432059050 CEST1.1.1.1192.168.2.30x1d9aNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.7A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:30.432059050 CEST1.1.1.1192.168.2.30x1d9aNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.29A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:30.432059050 CEST1.1.1.1192.168.2.30x1d9aNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:40.801038980 CEST1.1.1.1192.168.2.30xb335No error (0)microsoft-com.mail.protection.outlook.com40.93.207.5A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:40.801038980 CEST1.1.1.1192.168.2.30xb335No error (0)microsoft-com.mail.protection.outlook.com40.93.207.7A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:40.801038980 CEST1.1.1.1192.168.2.30xb335No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:40.801038980 CEST1.1.1.1192.168.2.30xb335No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:40.801038980 CEST1.1.1.1192.168.2.30xb335No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:40.801038980 CEST1.1.1.1192.168.2.30xb335No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:51.504048109 CEST1.1.1.1192.168.2.30x876eNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.29A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:51.504048109 CEST1.1.1.1192.168.2.30x876eNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:51.504048109 CEST1.1.1.1192.168.2.30x876eNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:51.504048109 CEST1.1.1.1192.168.2.30x876eNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.5A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:04:51.504048109 CEST1.1.1.1192.168.2.30x876eNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:11.680250883 CEST1.1.1.1192.168.2.30x9922No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:11.680250883 CEST1.1.1.1192.168.2.30x9922No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:11.680250883 CEST1.1.1.1192.168.2.30x9922No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:11.845762014 CEST1.1.1.1192.168.2.30xb9c3No error (0)mta6.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:11.845762014 CEST1.1.1.1192.168.2.30xb9c3No error (0)mta6.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:11.845762014 CEST1.1.1.1192.168.2.30xb9c3No error (0)mta6.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:11.845762014 CEST1.1.1.1192.168.2.30xb9c3No error (0)mta6.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:11.845762014 CEST1.1.1.1192.168.2.30xb9c3No error (0)mta6.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:11.845762014 CEST1.1.1.1192.168.2.30xb9c3No error (0)mta6.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:11.845762014 CEST1.1.1.1192.168.2.30xb9c3No error (0)mta6.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:11.845762014 CEST1.1.1.1192.168.2.30xb9c3No error (0)mta6.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:13.317194939 CEST1.1.1.1192.168.2.30x1db2No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:13.317194939 CEST1.1.1.1192.168.2.30x1db2No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:13.317194939 CEST1.1.1.1192.168.2.30x1db2No error (0)microsoft-com.mail.protection.outlook.com40.93.207.7A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:13.317194939 CEST1.1.1.1192.168.2.30x1db2No error (0)microsoft-com.mail.protection.outlook.com52.101.40.29A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:13.317194939 CEST1.1.1.1192.168.2.30x1db2No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:13.317194939 CEST1.1.1.1192.168.2.30x1db2No error (0)microsoft-com.mail.protection.outlook.com40.93.207.5A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:35.773005009 CEST1.1.1.1192.168.2.30x8291No error (0)mta6.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:35.773005009 CEST1.1.1.1192.168.2.30x8291No error (0)mta6.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:35.773005009 CEST1.1.1.1192.168.2.30x8291No error (0)mta6.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:35.773005009 CEST1.1.1.1192.168.2.30x8291No error (0)mta6.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:35.773005009 CEST1.1.1.1192.168.2.30x8291No error (0)mta6.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:35.773005009 CEST1.1.1.1192.168.2.30x8291No error (0)mta6.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:35.773005009 CEST1.1.1.1192.168.2.30x8291No error (0)mta6.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:35.773005009 CEST1.1.1.1192.168.2.30x8291No error (0)mta6.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:37.203006029 CEST1.1.1.1192.168.2.30x23e1No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:37.203006029 CEST1.1.1.1192.168.2.30x23e1No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:37.203006029 CEST1.1.1.1192.168.2.30x23e1No error (0)microsoft-com.mail.protection.outlook.com40.93.207.5A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:37.203006029 CEST1.1.1.1192.168.2.30x23e1No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:37.203006029 CEST1.1.1.1192.168.2.30x23e1No error (0)microsoft-com.mail.protection.outlook.com52.101.40.29A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:46.402228117 CEST1.1.1.1192.168.2.30x462dNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:46.402228117 CEST1.1.1.1192.168.2.30x462dNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:46.402228117 CEST1.1.1.1192.168.2.30x462dNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.5A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:46.402228117 CEST1.1.1.1192.168.2.30x462dNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:46.402228117 CEST1.1.1.1192.168.2.30x462dNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.29A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:52.729968071 CEST1.1.1.1192.168.2.30xd0dNo error (0)jotunheim.name80.66.75.77A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:57.296340942 CEST1.1.1.1192.168.2.30x640fNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:57.296340942 CEST1.1.1.1192.168.2.30x640fNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.7A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:57.296340942 CEST1.1.1.1192.168.2.30x640fNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:57.296340942 CEST1.1.1.1192.168.2.30x640fNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.5A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:57.296340942 CEST1.1.1.1192.168.2.30x640fNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.29A (IP address)IN (0x0001)false
                                                                                                                                                                              Oct 9, 2023 21:05:57.296340942 CEST1.1.1.1192.168.2.30x640fNo error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)false

                                                                                                                                                                              SMTP Packets

                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                                                              Oct 9, 2023 21:02:28.624763012 CEST254971440.93.207.5192.168.2.3220 CB1PEPF00003D79.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:02:27 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:37.973424911 CEST254971940.93.207.1192.168.2.3220 CB1PEPF00003667.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:37 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:39.309248924 CEST254972140.93.207.1192.168.2.3220 CB1PEPF00003667.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:38 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:40.860481977 CEST254972340.93.207.1192.168.2.3220 CB1PEPF00003667.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:40 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:43.417088032 CEST254972540.93.207.1192.168.2.3220 CB1PEPF00003667.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:42 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:44.713330030 CEST254972740.93.207.1192.168.2.3220 CB1PEPF00003667.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:43 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:46.148380995 CEST254972940.93.207.1192.168.2.3220 CB1PEPF00003667.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:45 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:47.799685955 CEST254973140.93.212.0192.168.2.3220 CD1PEPF000006AE.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:47 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:49.242321014 CEST254973340.93.212.0192.168.2.3220 CD1PEPF000006AE.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:48 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:50.740894079 CEST254973540.93.212.0192.168.2.3220 CD1PEPF000006AE.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:50 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:52.246368885 CEST254973740.93.212.0192.168.2.3220 CD1PEPF000006AE.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:51 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:53.601526022 CEST254974040.93.212.0192.168.2.3220 CD1PEPF000006AD.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:53 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:55.079722881 CEST254974240.93.212.0192.168.2.3220 CD1PEPF000006AD.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:54 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:56.468019962 CEST254974440.93.212.0192.168.2.3220 CD1PEPF000006AD.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:55 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:58.710621119 CEST2549746104.47.54.36192.168.2.3220 DM3NAM06FT014.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:58 +0000
                                                                                                                                                                              Oct 9, 2023 21:03:59.732928038 CEST2549748104.47.54.36192.168.2.3220 DM3NAM06FT010.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:03:59 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:01.313339949 CEST2549750104.47.54.36192.168.2.3220 DM3NAM06FT003.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:00 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:02.255928040 CEST2549752104.47.54.36192.168.2.3220 DM3NAM06FT016.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:01 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:03.849586964 CEST2549754104.47.54.36192.168.2.3220 DM3NAM06FT009.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:02 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:04.940988064 CEST2549756104.47.54.36192.168.2.3220 DM3NAM06FT007.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:04 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:06.204778910 CEST2549758104.47.54.36192.168.2.3220 DM3NAM06FT016.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:05 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:07.404645920 CEST2549760104.47.54.36192.168.2.3220 DM3NAM06FT004.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:06 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:08.900469065 CEST254976240.93.207.1192.168.2.3220 CB1PEPF00003667.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:07 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:10.308058023 CEST254976440.93.207.1192.168.2.3220 CB1PEPF00003667.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:09 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:11.698175907 CEST254976640.93.207.1192.168.2.3220 CB1PEPF00003667.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:10 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:13.099709034 CEST254976840.93.207.1192.168.2.3220 CB1PEPF00003667.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:12 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:14.467812061 CEST254977040.93.207.1192.168.2.3220 CB1PEPF00003667.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:13 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:15.946964979 CEST254977240.93.207.1192.168.2.3220 CB1PEPF00003667.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:14 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:17.435250044 CEST254977440.93.207.1192.168.2.3220 CB1PEPF00003667.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:17 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:18.981692076 CEST254977640.93.212.0192.168.2.3220 CD1PEPF000006AD.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:18 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:20.204605103 CEST254977840.93.212.0192.168.2.3220 CD1PEPF000006AD.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:19 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:21.478930950 CEST254978040.93.212.0192.168.2.3220 CD1PEPF000006AD.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:20 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:22.693321943 CEST254978240.93.212.0192.168.2.3220 CD1PEPF000006AD.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:21 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:23.884661913 CEST254978440.93.212.0192.168.2.3220 CD1PEPF000006AD.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:23 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:25.295798063 CEST254978640.93.212.0192.168.2.3220 CD1PEPF000006AD.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:24 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:26.691509008 CEST254978840.93.212.0192.168.2.3220 CD1PEPF000006AD.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:25 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:30.883565903 CEST254979040.93.207.5192.168.2.3220 CB1PEPF00003D78.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:30 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:32.130721092 CEST254979240.93.207.5192.168.2.3220 CB1PEPF00003D79.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:31 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:33.398545027 CEST254979540.93.207.5192.168.2.3220 CB1PEPF00003D79.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:32 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:34.626475096 CEST254979740.93.207.5192.168.2.3220 CB1PEPF00003D7A.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:33 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:35.924674034 CEST254979940.93.207.5192.168.2.3220 CB1PEPF00003D78.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:35 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:37.228729010 CEST254980140.93.207.5192.168.2.3220 CB1PEPF00003D79.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:36 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:38.483428955 CEST254980340.93.207.5192.168.2.3220 CB1PEPF00003D7A.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:38 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:39.759342909 CEST254980540.93.207.5192.168.2.3220 CB1PEPF00003D78.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:39 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:41.261710882 CEST254980740.93.207.5192.168.2.3220 CB1PEPF00003D79.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:40 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:42.557807922 CEST254980940.93.207.5192.168.2.3220 CB1PEPF00003D7A.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:42 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:43.779781103 CEST254981140.93.207.5192.168.2.3220 CB1PEPF00003D78.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:43 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:44.982021093 CEST254981340.93.207.5192.168.2.3220 CB1PEPF00003D79.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:44 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:46.363997936 CEST254981540.93.207.5192.168.2.3220 CB1PEPF00003D7A.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:46 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:48.948822975 CEST254981740.93.207.5192.168.2.3220 CB1PEPF00003D78.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:48 +0000
                                                                                                                                                                              Oct 9, 2023 21:04:50.384640932 CEST254981940.93.207.5192.168.2.3220 CB1PEPF00003D79.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:04:49 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:12.417845011 CEST254982498.136.96.74192.168.2.3220 mtaproxy207.free.mail.ne1.yahoo.com ESMTP ready
                                                                                                                                                                              Oct 9, 2023 21:05:16.419312954 CEST254982740.93.207.1192.168.2.3451 4.7.700 PFA agent busy, please try again. [CB1PEPF00003667.namprd00.prod.outlook.com 2023-10-09T19:05:16.289Z 08DBC8FAAAC634FC]
                                                                                                                                                                              Oct 9, 2023 21:05:36.330264091 CEST254983567.195.204.74192.168.2.3220 mtaproxy507.free.mail.bf1.yahoo.com ESMTP ready
                                                                                                                                                                              Oct 9, 2023 21:05:37.663113117 CEST2549838104.47.53.36192.168.2.3220 BL2NAM06FT011.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:37 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:40.354428053 CEST2549842104.47.53.36192.168.2.3220 BL2NAM06FT012.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:39 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:41.488259077 CEST2549844104.47.53.36192.168.2.3220 BL2NAM06FT004.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:41 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:42.757977009 CEST2549847104.47.53.36192.168.2.3220 BL2NAM06FT014.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:41 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:44.062406063 CEST2549850104.47.53.36192.168.2.3220 BL2NAM06FT013.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:43 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:45.306204081 CEST2549853104.47.53.36192.168.2.3220 BL2NAM06FT013.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:44 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:47.223807096 CEST2549856104.47.53.36192.168.2.3220 BL2NAM06FT004.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:46 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:48.101303101 CEST2549859104.47.53.36192.168.2.3220 BL2NAM06FT013.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:47 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:49.377680063 CEST2549862104.47.53.36192.168.2.3220 BL2NAM06FT004.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:48 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:50.607858896 CEST2549865104.47.53.36192.168.2.3220 BL2NAM06FT013.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:49 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:51.784666061 CEST2549868104.47.53.36192.168.2.3220 BL2NAM06FT012.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:51 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:52.976387024 CEST2549871104.47.53.36192.168.2.3220 BL2NAM06FT009.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:52 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:54.550313950 CEST2549875104.47.53.36192.168.2.3220 BL2NAM06FT011.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:53 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:58.064825058 CEST2549879104.47.54.36192.168.2.3220 DM3NAM06FT003.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:57 +0000
                                                                                                                                                                              Oct 9, 2023 21:05:59.173299074 CEST2549882104.47.54.36192.168.2.3220 DM3NAM06FT015.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:58 +0000
                                                                                                                                                                              Oct 9, 2023 21:06:00.888798952 CEST2549885104.47.54.36192.168.2.3220 DM3NAM06FT006.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:05:59 +0000
                                                                                                                                                                              Oct 9, 2023 21:06:02.345829010 CEST2549888104.47.54.36192.168.2.3220 DM3NAM06FT009.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:06:01 +0000
                                                                                                                                                                              Oct 9, 2023 21:06:03.363599062 CEST2549891104.47.54.36192.168.2.3220 DM3NAM06FT016.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:06:02 +0000
                                                                                                                                                                              Oct 9, 2023 21:06:06.446969986 CEST2549894104.47.54.36192.168.2.3220 DM3NAM06FT016.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 9 Oct 2023 19:06:06 +0000

                                                                                                                                                                              Statistics

                                                                                                                                                                              CPU Usage

                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              Memory Usage

                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                              Behavior

                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              System Behavior

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:0
                                                                                                                                                                              Start time:21:01:55
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                                                              Imagebase:0x7ff743e40000
                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:1
                                                                                                                                                                              Start time:21:01:55
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                                                                                              Imagebase:0x7ff743e40000
                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:2
                                                                                                                                                                              Start time:21:01:55
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
                                                                                                                                                                              Imagebase:0x7ff743e40000
                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:3
                                                                                                                                                                              Start time:21:01:55
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                                                                                              Imagebase:0x7ff743e40000
                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:4
                                                                                                                                                                              Start time:21:01:56
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:C:\Users\user\Desktop\file.exe
                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                              File size:221'184 bytes
                                                                                                                                                                              MD5 hash:21C68B05AC982CFF12AFCB9AF3A5657D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Yara matches:
                                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.1457392227.000000000090D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: unknown
                                                                                                                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: ditekSHen
                                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000004.00000003.1409298622.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000004.00000003.1409298622.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000004.00000003.1409298622.0000000000720000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:6
                                                                                                                                                                              Start time:21:02:10
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ptlohvde\
                                                                                                                                                                              Imagebase:0xb80000
                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:high
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:7
                                                                                                                                                                              Start time:21:02:10
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff720030000
                                                                                                                                                                              File size:873'472 bytes
                                                                                                                                                                              MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:8
                                                                                                                                                                              Start time:21:02:10
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wdkncqjt.exe" C:\Windows\SysWOW64\ptlohvde\
                                                                                                                                                                              Imagebase:0xb80000
                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:high
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:9
                                                                                                                                                                              Start time:21:02:10
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff720030000
                                                                                                                                                                              File size:873'472 bytes
                                                                                                                                                                              MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:10
                                                                                                                                                                              Start time:21:02:11
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:C:\Windows\System32\sc.exe" create ptlohvde binPath= "C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
                                                                                                                                                                              Imagebase:0x490000
                                                                                                                                                                              File size:61'440 bytes
                                                                                                                                                                              MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:11
                                                                                                                                                                              Start time:21:02:11
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff720030000
                                                                                                                                                                              File size:873'472 bytes
                                                                                                                                                                              MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:12
                                                                                                                                                                              Start time:21:02:12
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:C:\Windows\System32\sc.exe" description ptlohvde "wifi internet conection
                                                                                                                                                                              Imagebase:0x490000
                                                                                                                                                                              File size:61'440 bytes
                                                                                                                                                                              MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:13
                                                                                                                                                                              Start time:21:02:12
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff720030000
                                                                                                                                                                              File size:873'472 bytes
                                                                                                                                                                              MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:14
                                                                                                                                                                              Start time:21:02:13
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:"C:\Windows\System32\sc.exe" start ptlohvde
                                                                                                                                                                              Imagebase:0x490000
                                                                                                                                                                              File size:61'440 bytes
                                                                                                                                                                              MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:15
                                                                                                                                                                              Start time:21:02:13
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff720030000
                                                                                                                                                                              File size:873'472 bytes
                                                                                                                                                                              MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:16
                                                                                                                                                                              Start time:21:02:13
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe /d"C:\Users\user\Desktop\file.exe"
                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                              File size:13'209'600 bytes
                                                                                                                                                                              MD5 hash:B11DD4A2DA4ABF719066A2DB8F95983F
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Yara matches:
                                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000010.00000002.1576028208.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000010.00000002.1576028208.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000010.00000002.1576028208.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000010.00000002.1575910314.0000000000619000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000010.00000003.1572907946.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000010.00000003.1572907946.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000010.00000003.1572907946.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                                                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:17
                                                                                                                                                                              Start time:21:02:13
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                                                                              Imagebase:0x8e0000
                                                                                                                                                                              File size:82'432 bytes
                                                                                                                                                                              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:18
                                                                                                                                                                              Start time:21:02:13
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                              Imagebase:0x7ff743e40000
                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:19
                                                                                                                                                                              Start time:21:02:13
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff720030000
                                                                                                                                                                              File size:873'472 bytes
                                                                                                                                                                              MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:20
                                                                                                                                                                              Start time:21:02:14
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7448 -ip 7448
                                                                                                                                                                              Imagebase:0xb0000
                                                                                                                                                                              File size:489'328 bytes
                                                                                                                                                                              MD5 hash:F5210A4A7E411A1BAD3844586A74B574
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:22
                                                                                                                                                                              Start time:21:02:14
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 632
                                                                                                                                                                              Imagebase:0xb0000
                                                                                                                                                                              File size:489'328 bytes
                                                                                                                                                                              MD5 hash:F5210A4A7E411A1BAD3844586A74B574
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:23
                                                                                                                                                                              Start time:21:02:25
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:svchost.exe
                                                                                                                                                                              Imagebase:0x60000
                                                                                                                                                                              File size:46'504 bytes
                                                                                                                                                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Yara matches:
                                                                                                                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:24
                                                                                                                                                                              Start time:21:02:25
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7956 -ip 7956
                                                                                                                                                                              Imagebase:0xb0000
                                                                                                                                                                              File size:489'328 bytes
                                                                                                                                                                              MD5 hash:F5210A4A7E411A1BAD3844586A74B574
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:25
                                                                                                                                                                              Start time:21:02:26
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7956 -s 540
                                                                                                                                                                              Imagebase:0xb0000
                                                                                                                                                                              File size:489'328 bytes
                                                                                                                                                                              MD5 hash:F5210A4A7E411A1BAD3844586A74B574
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:26
                                                                                                                                                                              Start time:21:02:56
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe" -wdenable
                                                                                                                                                                              Imagebase:0x7ff70adc0000
                                                                                                                                                                              File size:1'596'304 bytes
                                                                                                                                                                              MD5 hash:31E905BFB19E7D184BB81F274A71B221
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:27
                                                                                                                                                                              Start time:21:02:56
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff720030000
                                                                                                                                                                              File size:873'472 bytes
                                                                                                                                                                              MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:38
                                                                                                                                                                              Start time:21:04:57
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                              Imagebase:0x7ff743e40000
                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:43
                                                                                                                                                                              Start time:21:05:28
                                                                                                                                                                              Start date:09/10/2023
                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                              Imagebase:0x7ff743e40000
                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              Disassembly

                                                                                                                                                                              Reset < >

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:3.7%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:31.3%
                                                                                                                                                                                Signature Coverage:25.3%
                                                                                                                                                                                Total number of Nodes:1574
                                                                                                                                                                                Total number of Limit Nodes:27
                                                                                                                                                                                execution_graph 16740 40444a 16742 404458 16740->16742 16741 40446a 16742->16741 16744 401940 16742->16744 16745 40ec2e codecvt 4 API calls 16744->16745 16746 401949 16745->16746 16746->16741 14581 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14699 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14581->14699 14583 409a95 14584 409aa3 GetModuleHandleA GetModuleFileNameA 14583->14584 14589 40a3c7 14583->14589 14598 409ac4 14584->14598 14585 40a41c CreateThread WSAStartup 14862 40e52e 14585->14862 15736 40405e CreateEventA 14585->15736 14587 409afd GetCommandLineA 14596 409b22 14587->14596 14588 40a406 DeleteFileA 14588->14589 14590 40a40d 14588->14590 14589->14585 14589->14588 14589->14590 14593 40a3ed GetLastError 14589->14593 14590->14585 14591 40a445 14881 40eaaf 14591->14881 14593->14590 14594 40a3f8 Sleep 14593->14594 14594->14588 14595 40a44d 14885 401d96 14595->14885 14601 409b47 14596->14601 14602 409c0c 14596->14602 14598->14587 14599 40a457 14933 4080c9 14599->14933 14612 409b96 lstrlenA 14601->14612 14620 409b58 14601->14620 14700 4096aa 14602->14700 14609 40a1d2 14617 40a1e3 GetCommandLineA 14609->14617 14610 409c39 14613 40a167 GetModuleHandleA GetModuleFileNameA 14610->14613 14706 404280 CreateEventA 14610->14706 14612->14620 14615 409c05 ExitProcess 14613->14615 14616 40a189 14613->14616 14616->14615 14625 40a1b2 GetDriveTypeA 14616->14625 14644 40a205 14617->14644 14620->14615 14623 40675c 20 API calls 14620->14623 14626 409be3 14623->14626 14625->14615 14627 40a1c5 14625->14627 14626->14615 14804 406a60 CreateFileA 14626->14804 14843 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14627->14843 14633 40a491 14634 40a49f GetTickCount 14633->14634 14636 40a4be Sleep 14633->14636 14643 40a4b7 GetTickCount 14633->14643 14979 40c913 14633->14979 14634->14633 14634->14636 14636->14633 14638 409ca0 GetTempPathA 14639 409e3e 14638->14639 14640 409cba 14638->14640 14647 409e6b GetEnvironmentVariableA 14639->14647 14649 409e04 14639->14649 14760 4099d2 lstrcpyA 14640->14760 14642 40ec2e codecvt 4 API calls 14646 40a15d 14642->14646 14643->14636 14648 40a285 lstrlenA 14644->14648 14657 40a239 14644->14657 14646->14613 14646->14615 14647->14649 14650 409e7d 14647->14650 14648->14657 14649->14642 14651 4099d2 16 API calls 14650->14651 14653 409e9d 14651->14653 14653->14649 14656 409eb0 lstrcpyA lstrlenA 14653->14656 14654 409d5f 14823 406cc9 14654->14823 14659 409ef4 14656->14659 14851 406ec3 14657->14851 14658 40a3c2 14855 4098f2 14658->14855 14663 406dc2 6 API calls 14659->14663 14666 409f03 14659->14666 14662 40a35f 14662->14658 14662->14662 14668 40a37b 14662->14668 14663->14666 14664 40a39d StartServiceCtrlDispatcherA 14664->14658 14667 409f32 RegOpenKeyExA 14666->14667 14669 409f48 RegSetValueExA RegCloseKey 14667->14669 14673 409f70 14667->14673 14668->14664 14669->14673 14670 409cf6 14767 409326 14670->14767 14679 409f9d GetModuleHandleA GetModuleFileNameA 14673->14679 14674 409e0c DeleteFileA 14674->14639 14675 409dde GetFileAttributesExA 14675->14674 14676 409df7 14675->14676 14676->14649 14678 409dff 14676->14678 14833 4096ff 14678->14833 14681 409fc2 14679->14681 14682 40a093 14679->14682 14681->14682 14688 409ff1 GetDriveTypeA 14681->14688 14683 40a103 CreateProcessA 14682->14683 14684 40a0a4 wsprintfA 14682->14684 14685 40a13a 14683->14685 14686 40a12a DeleteFileA 14683->14686 14839 402544 14684->14839 14685->14649 14692 4096ff 3 API calls 14685->14692 14686->14685 14688->14682 14690 40a00d 14688->14690 14694 40a02d lstrcatA 14690->14694 14692->14649 14695 40a046 14694->14695 14696 40a052 lstrcatA 14695->14696 14697 40a064 lstrcatA 14695->14697 14696->14697 14697->14682 14698 40a081 lstrcatA 14697->14698 14698->14682 14699->14583 14701 4096b9 14700->14701 15082 4073ff 14701->15082 14703 4096e2 14704 4096f7 14703->14704 15102 40704c 14703->15102 14704->14609 14704->14610 14707 4042a5 14706->14707 14708 40429d 14706->14708 15127 403ecd 14707->15127 14708->14613 14733 40675c 14708->14733 14710 4042b0 15131 404000 14710->15131 14713 4043c1 CloseHandle 14713->14708 14714 4042ce 15137 403f18 WriteFile 14714->15137 14719 4043ba CloseHandle 14719->14713 14720 404318 14721 403f18 4 API calls 14720->14721 14722 404331 14721->14722 14723 403f18 4 API calls 14722->14723 14724 40434a 14723->14724 15145 40ebcc GetProcessHeap 14724->15145 14727 403f18 4 API calls 14728 404389 14727->14728 14729 40ec2e codecvt 4 API calls 14728->14729 14730 40438f 14729->14730 14731 403f8c 4 API calls 14730->14731 14732 40439f CloseHandle CloseHandle 14731->14732 14732->14708 14734 406784 CreateFileA 14733->14734 14735 40677a SetFileAttributesA 14733->14735 14736 4067a4 CreateFileA 14734->14736 14737 4067b5 14734->14737 14735->14734 14736->14737 14738 4067c5 14737->14738 14739 4067ba SetFileAttributesA 14737->14739 14740 406977 14738->14740 14741 4067cf GetFileSize 14738->14741 14739->14738 14740->14613 14740->14638 14740->14639 14742 4067e5 14741->14742 14759 406922 14741->14759 14744 4067ed ReadFile 14742->14744 14742->14759 14743 40696e CloseHandle 14743->14740 14745 406811 SetFilePointer 14744->14745 14744->14759 14746 40682a ReadFile 14745->14746 14745->14759 14747 406848 SetFilePointer 14746->14747 14746->14759 14748 406867 14747->14748 14747->14759 14749 4068d5 14748->14749 14750 406878 ReadFile 14748->14750 14749->14743 14752 40ebcc 3 API calls 14749->14752 14751 4068d0 14750->14751 14753 406891 14750->14753 14751->14749 14754 4068f8 14752->14754 14753->14750 14753->14751 14755 406900 SetFilePointer 14754->14755 14754->14759 14756 40695a 14755->14756 14757 40690d ReadFile 14755->14757 14758 40ec2e codecvt 4 API calls 14756->14758 14757->14756 14757->14759 14758->14759 14759->14743 14761 4099eb 14760->14761 14762 409a2f lstrcatA 14761->14762 14763 40ee2a 14762->14763 14764 409a4b lstrcatA 14763->14764 14765 406a60 13 API calls 14764->14765 14766 409a60 14765->14766 14766->14639 14766->14670 14817 406dc2 14766->14817 15152 401910 14767->15152 14770 40934a GetModuleHandleA GetModuleFileNameA 14772 40937f 14770->14772 14773 4093a4 14772->14773 14774 4093d9 14772->14774 14775 4093c3 wsprintfA 14773->14775 14776 409401 wsprintfA 14774->14776 14777 409415 14775->14777 14776->14777 14779 406cc9 5 API calls 14777->14779 14801 4094a0 14777->14801 14786 409439 14779->14786 14780 4094ac 14781 40962f 14780->14781 14782 4094e8 RegOpenKeyExA 14780->14782 14787 409646 14781->14787 15182 401820 14781->15182 14784 409502 14782->14784 14785 4094fb 14782->14785 14790 40951f RegQueryValueExA 14784->14790 14785->14781 14792 40958a 14785->14792 15167 40ef1e lstrlenA 14786->15167 14789 4095d6 14787->14789 15162 4091eb 14787->15162 14789->14674 14789->14675 14793 409530 14790->14793 14794 409539 14790->14794 14792->14787 14796 409593 14792->14796 14797 40956e RegCloseKey 14793->14797 14798 409556 RegQueryValueExA 14794->14798 14795 409462 14799 40947e wsprintfA 14795->14799 14796->14789 15169 40f0e4 14796->15169 14797->14785 14798->14793 14798->14797 14799->14801 15154 406edd 14801->15154 14802 4095bb 14802->14789 15176 4018e0 14802->15176 14805 406b8c GetLastError 14804->14805 14806 406a8f GetDiskFreeSpaceA 14804->14806 14808 406b86 14805->14808 14807 406ac5 14806->14807 14816 406ad7 14806->14816 15230 40eb0e 14807->15230 14808->14615 14812 406b56 CloseHandle 14812->14808 14815 406b65 GetLastError CloseHandle 14812->14815 14813 406b36 GetLastError CloseHandle 14814 406b7f DeleteFileA 14813->14814 14814->14808 14815->14814 15224 406987 14816->15224 14818 406dd7 14817->14818 14822 406e24 14817->14822 14819 406cc9 5 API calls 14818->14819 14820 406ddc 14819->14820 14820->14820 14821 406e02 GetVolumeInformationA 14820->14821 14820->14822 14821->14822 14822->14654 14824 406cdc GetModuleHandleA GetProcAddress 14823->14824 14825 406dbe lstrcpyA lstrcatA lstrcatA 14823->14825 14826 406d12 GetSystemDirectoryA 14824->14826 14827 406cfd 14824->14827 14825->14670 14828 406d27 GetWindowsDirectoryA 14826->14828 14829 406d1e 14826->14829 14827->14826 14831 406d8b 14827->14831 14830 406d42 14828->14830 14829->14828 14829->14831 14832 40ef1e lstrlenA 14830->14832 14831->14825 14832->14831 14834 402544 14833->14834 14835 40972d RegOpenKeyExA 14834->14835 14836 409740 14835->14836 14837 409765 14835->14837 14838 40974f RegDeleteValueA RegCloseKey 14836->14838 14837->14649 14838->14837 14840 402554 lstrcatA 14839->14840 14841 40ee2a 14840->14841 14842 40a0ec lstrcatA 14841->14842 14842->14683 14844 402544 14843->14844 14845 40919e wsprintfA 14844->14845 14846 4091bb 14845->14846 15238 409064 GetTempPathA 14846->15238 14849 4091d5 ShellExecuteA 14850 4091e7 14849->14850 14850->14615 14852 406ecc 14851->14852 14854 406ed5 14851->14854 14853 406e36 2 API calls 14852->14853 14853->14854 14854->14662 14856 4098f6 14855->14856 14857 404280 29 API calls 14856->14857 14858 409904 Sleep 14856->14858 14859 409915 14856->14859 14857->14856 14858->14856 14858->14859 14861 409947 14859->14861 15245 40977c 14859->15245 14861->14589 15267 40dd05 GetTickCount 14862->15267 14864 40e538 15274 40dbcf 14864->15274 14866 40e544 14867 40e555 GetFileSize 14866->14867 14872 40e5b8 14866->14872 14868 40e5b1 CloseHandle 14867->14868 14869 40e566 14867->14869 14868->14872 15284 40db2e 14869->15284 15293 40e3ca RegOpenKeyExA 14872->15293 14873 40e576 ReadFile 14873->14868 14875 40e58d 14873->14875 15288 40e332 14875->15288 14878 40e5f2 14879 40e3ca 17 API calls 14878->14879 14880 40e629 14878->14880 14879->14880 14880->14591 14882 40eabe 14881->14882 14884 40eaba 14881->14884 14883 40dd05 6 API calls 14882->14883 14882->14884 14883->14884 14884->14595 14886 40ee2a 14885->14886 14887 401db4 GetVersionExA 14886->14887 14888 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14887->14888 14890 401e24 14888->14890 14891 401e16 GetCurrentProcess 14888->14891 15347 40e819 14890->15347 14891->14890 14893 401e3d 14894 40e819 11 API calls 14893->14894 14895 401e4e 14894->14895 14896 401e77 14895->14896 15354 40df70 14895->15354 15363 40ea84 14896->15363 14899 401e6c 14901 40df70 12 API calls 14899->14901 14901->14896 14902 40e819 11 API calls 14903 401e93 14902->14903 15367 40199c inet_addr LoadLibraryA 14903->15367 14906 40e819 11 API calls 14907 401eb9 14906->14907 14908 40f04e 4 API calls 14907->14908 14915 401ed8 14907->14915 14910 401ec9 14908->14910 14909 40e819 11 API calls 14911 401eee 14909->14911 14912 40ea84 28 API calls 14910->14912 14913 401f0a 14911->14913 15377 401b71 14911->15377 14912->14915 14914 40e819 11 API calls 14913->14914 14917 401f23 14914->14917 14915->14909 14920 401f3f 14917->14920 15381 401bdf 14917->15381 14918 401efd 14919 40ea84 28 API calls 14918->14919 14919->14913 14922 40e819 11 API calls 14920->14922 14924 401f5e 14922->14924 14926 401f77 14924->14926 14928 40ea84 28 API calls 14924->14928 14925 40ea84 28 API calls 14925->14920 15388 4030b5 14926->15388 14928->14926 14930 406ec3 2 API calls 14932 401f8e GetTickCount 14930->14932 14932->14599 14934 406ec3 2 API calls 14933->14934 14935 4080eb 14934->14935 14936 4080f9 14935->14936 14937 4080ef 14935->14937 14939 40704c 16 API calls 14936->14939 15436 407ee6 14937->15436 14941 408110 14939->14941 14940 408269 CreateThread 14958 405e6c 14940->14958 15765 40877e 14940->15765 14943 408156 RegOpenKeyExA 14941->14943 14944 4080f4 14941->14944 14942 40675c 20 API calls 14948 408244 14942->14948 14943->14944 14945 40816d RegQueryValueExA 14943->14945 14944->14940 14944->14942 14946 4081f7 14945->14946 14947 40818d 14945->14947 14949 40820d RegCloseKey 14946->14949 14950 40ec2e codecvt 4 API calls 14946->14950 14947->14946 14952 40ebcc 3 API calls 14947->14952 14948->14940 14951 40ec2e codecvt 4 API calls 14948->14951 14949->14944 14957 4081dd 14950->14957 14951->14940 14953 4081a0 14952->14953 14953->14949 14954 4081aa RegQueryValueExA 14953->14954 14954->14946 14955 4081c4 14954->14955 14956 40ebcc 3 API calls 14955->14956 14956->14957 14957->14949 15504 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14958->15504 14961 405e71 15505 40e654 14961->15505 14962 405ec1 14963 403132 14962->14963 14964 40df70 12 API calls 14963->14964 14965 40313b 14964->14965 14966 40c125 14965->14966 15516 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14966->15516 14968 40c12d 14969 40e654 12 API calls 14968->14969 14970 40c2bd 14969->14970 14971 40e654 12 API calls 14970->14971 14972 40c2c9 14971->14972 14973 40e654 12 API calls 14972->14973 14974 40a47a 14973->14974 14975 408db1 14974->14975 14976 408dbc 14975->14976 14977 40e654 12 API calls 14976->14977 14978 408dec Sleep 14977->14978 14978->14633 14980 40c92f 14979->14980 14981 40c93c 14980->14981 15517 40c517 14980->15517 14983 40ca2b 14981->14983 14984 40e819 11 API calls 14981->14984 14983->14633 14985 40c96a 14984->14985 14986 40e819 11 API calls 14985->14986 14987 40c97d 14986->14987 14988 40e819 11 API calls 14987->14988 14989 40c990 14988->14989 14990 40c9aa 14989->14990 14991 40ebcc 3 API calls 14989->14991 14990->14983 15534 402684 14990->15534 14991->14990 14996 40ca26 15541 40c8aa 14996->15541 14999 40ca44 15000 40ca4b closesocket 14999->15000 15001 40ca83 14999->15001 15000->14996 15002 40ea84 28 API calls 15001->15002 15003 40caac 15002->15003 15004 40f04e 4 API calls 15003->15004 15005 40cab2 15004->15005 15006 40ea84 28 API calls 15005->15006 15007 40caca 15006->15007 15008 40ea84 28 API calls 15007->15008 15009 40cad9 15008->15009 15549 40c65c 15009->15549 15012 40cb60 closesocket 15012->14983 15014 40dad2 closesocket 15015 40e318 21 API calls 15014->15015 15015->14983 15016 40df4c 18 API calls 15043 40cb70 15016->15043 15021 40e654 12 API calls 15021->15043 15025 40c65c send GetProcessHeap HeapSize GetProcessHeap 15025->15043 15028 40ea84 28 API calls 15028->15043 15029 40d569 closesocket Sleep 15596 40e318 15029->15596 15030 40d815 wsprintfA 15030->15043 15031 40cc1c GetTempPathA 15031->15043 15032 40c517 22 API calls 15032->15043 15034 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15034->15043 15035 407ead 6 API calls 15035->15043 15036 40d582 ExitProcess 15037 40e8a1 28 API calls 15037->15043 15038 40cfe3 GetSystemDirectoryA 15038->15043 15039 40cfad GetEnvironmentVariableA 15039->15043 15040 40675c 20 API calls 15040->15043 15041 40d027 GetSystemDirectoryA 15041->15043 15042 40d105 lstrcatA 15042->15043 15043->15014 15043->15016 15043->15021 15043->15025 15043->15028 15043->15029 15043->15030 15043->15031 15043->15032 15043->15034 15043->15035 15043->15037 15043->15038 15043->15039 15043->15040 15043->15041 15043->15042 15044 40ef1e lstrlenA 15043->15044 15045 40cc9f CreateFileA 15043->15045 15046 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15043->15046 15048 40d15b CreateFileA 15043->15048 15053 40d149 SetFileAttributesA 15043->15053 15054 40d36e GetEnvironmentVariableA 15043->15054 15055 40d1bf SetFileAttributesA 15043->15055 15056 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15043->15056 15058 40d22d GetEnvironmentVariableA 15043->15058 15060 40d3af lstrcatA 15043->15060 15062 407fcf 64 API calls 15043->15062 15063 40d3f2 CreateFileA 15043->15063 15069 40d3e0 SetFileAttributesA 15043->15069 15070 40d26e lstrcatA 15043->15070 15072 40d4b1 CreateProcessA 15043->15072 15073 40d2b1 CreateFileA 15043->15073 15075 40d452 SetFileAttributesA 15043->15075 15077 407ee6 64 API calls 15043->15077 15078 40d29f SetFileAttributesA 15043->15078 15081 40d31d SetFileAttributesA 15043->15081 15557 40c75d 15043->15557 15569 407e2f 15043->15569 15591 407ead 15043->15591 15601 4031d0 15043->15601 15618 403c09 15043->15618 15628 403a00 15043->15628 15632 40e7b4 15043->15632 15635 40c06c 15043->15635 15641 406f5f GetUserNameA 15043->15641 15652 40e854 15043->15652 15662 407dd6 15043->15662 15044->15043 15045->15043 15047 40ccc6 WriteFile 15045->15047 15046->15043 15049 40cdcc CloseHandle 15047->15049 15050 40cced CloseHandle 15047->15050 15048->15043 15051 40d182 WriteFile CloseHandle 15048->15051 15049->15043 15057 40cd2f 15050->15057 15051->15043 15052 40cd16 wsprintfA 15052->15057 15053->15048 15054->15043 15055->15043 15056->15043 15057->15052 15578 407fcf 15057->15578 15058->15043 15060->15043 15060->15063 15062->15043 15063->15043 15064 40d415 WriteFile CloseHandle 15063->15064 15064->15043 15065 40cd81 WaitForSingleObject CloseHandle CloseHandle 15067 40f04e 4 API calls 15065->15067 15066 40cda5 15068 407ee6 64 API calls 15066->15068 15067->15066 15071 40cdbd DeleteFileA 15068->15071 15069->15063 15070->15043 15070->15073 15071->15043 15072->15043 15074 40d4e8 CloseHandle CloseHandle 15072->15074 15073->15043 15076 40d2d8 WriteFile CloseHandle 15073->15076 15074->15043 15075->15043 15076->15043 15077->15043 15078->15073 15081->15043 15083 40741b 15082->15083 15084 406dc2 6 API calls 15083->15084 15085 40743f 15084->15085 15086 407469 RegOpenKeyExA 15085->15086 15088 4077f9 15086->15088 15097 407487 ___ascii_stricmp 15086->15097 15087 407703 RegEnumKeyA 15089 407714 RegCloseKey 15087->15089 15087->15097 15088->14703 15089->15088 15090 4074d2 RegOpenKeyExA 15090->15097 15091 40772c 15093 407742 RegCloseKey 15091->15093 15094 40774b 15091->15094 15092 407521 RegQueryValueExA 15092->15097 15093->15094 15096 4077ec RegCloseKey 15094->15096 15095 4076e4 RegCloseKey 15095->15097 15096->15088 15097->15087 15097->15090 15097->15091 15097->15092 15097->15095 15099 40f1a5 lstrlenA 15097->15099 15100 40777e GetFileAttributesExA 15097->15100 15101 407769 15097->15101 15098 4077e3 RegCloseKey 15098->15096 15099->15097 15100->15101 15101->15098 15103 407073 15102->15103 15104 4070b9 RegOpenKeyExA 15103->15104 15105 4070d0 15104->15105 15119 4071b8 15104->15119 15106 406dc2 6 API calls 15105->15106 15109 4070d5 15106->15109 15107 40719b RegEnumValueA 15108 4071af RegCloseKey 15107->15108 15107->15109 15108->15119 15109->15107 15111 4071d0 15109->15111 15125 40f1a5 lstrlenA 15109->15125 15112 407205 RegCloseKey 15111->15112 15113 407227 15111->15113 15112->15119 15114 4072b8 ___ascii_stricmp 15113->15114 15115 40728e RegCloseKey 15113->15115 15116 4072cd RegCloseKey 15114->15116 15117 4072dd 15114->15117 15115->15119 15116->15119 15118 407311 RegCloseKey 15117->15118 15121 407335 15117->15121 15118->15119 15119->14704 15120 4073d5 RegCloseKey 15122 4073e4 15120->15122 15121->15120 15123 40737e GetFileAttributesExA 15121->15123 15124 407397 15121->15124 15123->15124 15124->15120 15126 40f1c3 15125->15126 15126->15109 15128 403ee2 15127->15128 15129 403edc 15127->15129 15128->14710 15130 406dc2 6 API calls 15129->15130 15130->15128 15132 40400b CreateFileA 15131->15132 15133 40402c GetLastError 15132->15133 15134 404052 15132->15134 15133->15134 15135 404037 15133->15135 15134->14708 15134->14713 15134->14714 15135->15134 15136 404041 Sleep 15135->15136 15136->15132 15136->15134 15138 403f7c 15137->15138 15139 403f4e GetLastError 15137->15139 15141 403f8c ReadFile 15138->15141 15139->15138 15140 403f5b WaitForSingleObject GetOverlappedResult 15139->15140 15140->15138 15142 403fc2 GetLastError 15141->15142 15144 403ff0 15141->15144 15143 403fcf WaitForSingleObject GetOverlappedResult 15142->15143 15142->15144 15143->15144 15144->14719 15144->14720 15146 40ebe0 15145->15146 15149 40eb74 15146->15149 15150 40eb7b GetProcessHeap HeapSize 15149->15150 15151 404350 15149->15151 15150->15151 15151->14727 15153 401924 GetVersionExA 15152->15153 15153->14770 15155 406f55 15154->15155 15156 406eef AllocateAndInitializeSid 15154->15156 15155->14780 15157 406f44 15156->15157 15158 406f1c CheckTokenMembership 15156->15158 15157->15155 15188 406e36 GetUserNameW 15157->15188 15159 406f3b FreeSid 15158->15159 15160 406f2e 15158->15160 15159->15157 15160->15159 15163 40920e 15162->15163 15166 409308 15162->15166 15163->15163 15164 4092f1 Sleep 15163->15164 15165 4092bf ShellExecuteA 15163->15165 15163->15166 15164->15163 15165->15163 15165->15166 15166->14789 15168 40ef32 15167->15168 15168->14795 15170 40f0f1 15169->15170 15171 40f0ed 15169->15171 15172 40f119 15170->15172 15173 40f0fa lstrlenA SysAllocStringByteLen 15170->15173 15171->14802 15174 40f11c MultiByteToWideChar 15172->15174 15173->15174 15175 40f117 15173->15175 15174->15175 15175->14802 15177 401820 17 API calls 15176->15177 15178 4018f2 15177->15178 15179 4018f9 15178->15179 15191 401280 15178->15191 15179->14789 15181 401908 15181->14789 15203 401000 15182->15203 15184 401839 15185 401851 GetCurrentProcess 15184->15185 15186 40183d 15184->15186 15187 401864 15185->15187 15186->14787 15187->14787 15189 406e97 15188->15189 15190 406e5f LookupAccountNameW 15188->15190 15189->15155 15190->15189 15192 4012e1 15191->15192 15193 4016f9 GetLastError 15192->15193 15197 4013a8 15192->15197 15194 401699 15193->15194 15194->15181 15195 401570 lstrlenW 15195->15197 15196 4015be GetStartupInfoW 15196->15197 15197->15194 15197->15195 15197->15196 15197->15197 15198 4015ff CreateProcessWithLogonW 15197->15198 15202 401668 CloseHandle 15197->15202 15199 4016bf GetLastError 15198->15199 15200 40163f WaitForSingleObject 15198->15200 15199->15194 15200->15197 15201 401659 CloseHandle 15200->15201 15201->15197 15202->15197 15204 40100d LoadLibraryA 15203->15204 15213 401023 15203->15213 15205 401021 15204->15205 15204->15213 15205->15184 15206 4010b5 GetProcAddress 15207 4010d1 GetProcAddress 15206->15207 15208 40127b 15206->15208 15207->15208 15209 4010f0 GetProcAddress 15207->15209 15208->15184 15209->15208 15210 401110 GetProcAddress 15209->15210 15210->15208 15211 401130 GetProcAddress 15210->15211 15211->15208 15212 40114f GetProcAddress 15211->15212 15212->15208 15214 40116f GetProcAddress 15212->15214 15213->15206 15223 4010ae 15213->15223 15214->15208 15215 40118f GetProcAddress 15214->15215 15215->15208 15216 4011ae GetProcAddress 15215->15216 15216->15208 15217 4011ce GetProcAddress 15216->15217 15217->15208 15218 4011ee GetProcAddress 15217->15218 15218->15208 15219 401209 GetProcAddress 15218->15219 15219->15208 15220 401225 GetProcAddress 15219->15220 15220->15208 15221 401241 GetProcAddress 15220->15221 15221->15208 15222 40125c GetProcAddress 15221->15222 15222->15208 15223->15184 15226 4069b9 WriteFile 15224->15226 15227 406a3c 15226->15227 15229 4069ff 15226->15229 15227->14812 15227->14813 15228 406a10 WriteFile 15228->15227 15228->15229 15229->15227 15229->15228 15231 40eb17 15230->15231 15232 40eb21 15230->15232 15234 40eae4 15231->15234 15232->14816 15235 40eb02 GetProcAddress 15234->15235 15236 40eaed LoadLibraryA 15234->15236 15235->15232 15236->15235 15237 40eb01 15236->15237 15237->15232 15239 40908d 15238->15239 15240 4090e2 wsprintfA 15239->15240 15241 40ee2a 15240->15241 15242 4090fd CreateFileA 15241->15242 15243 40911a lstrlenA WriteFile CloseHandle 15242->15243 15244 40913f 15242->15244 15243->15244 15244->14849 15244->14850 15246 40ee2a 15245->15246 15247 409794 CreateProcessA 15246->15247 15248 4097c2 15247->15248 15249 4097bb 15247->15249 15250 4097d4 GetThreadContext 15248->15250 15249->14861 15251 409801 15250->15251 15252 4097f5 15250->15252 15259 40637c 15251->15259 15253 4097f6 TerminateProcess 15252->15253 15253->15249 15255 409816 15255->15253 15256 40981e WriteProcessMemory 15255->15256 15256->15252 15257 40983b SetThreadContext 15256->15257 15257->15252 15258 409858 ResumeThread 15257->15258 15258->15249 15260 406386 15259->15260 15261 40638a GetModuleHandleA VirtualAlloc 15259->15261 15260->15255 15262 4063b6 15261->15262 15266 4063f5 15261->15266 15263 4063be VirtualAllocEx 15262->15263 15264 4063d6 15263->15264 15263->15266 15265 4063df WriteProcessMemory 15264->15265 15265->15266 15266->15255 15268 40dd41 InterlockedExchange 15267->15268 15269 40dd20 GetCurrentThreadId 15268->15269 15273 40dd4a 15268->15273 15270 40dd53 GetCurrentThreadId 15269->15270 15271 40dd2e GetTickCount 15269->15271 15270->14864 15272 40dd39 Sleep 15271->15272 15271->15273 15272->15268 15273->15270 15275 40dbf0 15274->15275 15307 40db67 GetEnvironmentVariableA 15275->15307 15277 40dc19 15278 40dcda 15277->15278 15279 40db67 3 API calls 15277->15279 15278->14866 15280 40dc5c 15279->15280 15280->15278 15281 40db67 3 API calls 15280->15281 15282 40dc9b 15281->15282 15282->15278 15283 40db67 3 API calls 15282->15283 15283->15278 15285 40db55 15284->15285 15286 40db3a 15284->15286 15285->14868 15285->14873 15311 40ebed 15286->15311 15321 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15288->15321 15290 40e3be 15290->14868 15292 40e342 15292->15290 15324 40de24 15292->15324 15294 40e528 15293->15294 15295 40e3f4 15293->15295 15294->14878 15296 40e434 RegQueryValueExA 15295->15296 15297 40e458 15296->15297 15298 40e51d RegCloseKey 15296->15298 15299 40e46e RegQueryValueExA 15297->15299 15298->15294 15299->15297 15300 40e488 15299->15300 15300->15298 15301 40db2e 6 API calls 15300->15301 15302 40e499 15301->15302 15302->15298 15303 40e4b9 RegQueryValueExA 15302->15303 15304 40e4e8 15302->15304 15303->15302 15303->15304 15304->15298 15305 40e332 12 API calls 15304->15305 15306 40e513 15305->15306 15306->15298 15308 40db89 lstrcpyA CreateFileA 15307->15308 15309 40dbca 15307->15309 15308->15277 15309->15277 15312 40ec01 15311->15312 15313 40ebf6 15311->15313 15315 40eba0 codecvt 2 API calls 15312->15315 15314 40ebcc 3 API calls 15313->15314 15316 40ebfe 15314->15316 15317 40ec0a GetProcessHeap 15315->15317 15316->15285 15318 40ec20 15317->15318 15319 40eb74 2 API calls 15318->15319 15320 40ec28 15319->15320 15320->15285 15335 40eb41 15321->15335 15325 40de3a 15324->15325 15331 40de4e 15325->15331 15339 40dd84 15325->15339 15328 40de9e 15330 40ebed 6 API calls 15328->15330 15328->15331 15329 40de76 15343 40ddcf 15329->15343 15333 40def6 15330->15333 15331->15292 15333->15331 15334 40ddcf lstrcmpA 15333->15334 15334->15331 15336 40eb54 15335->15336 15337 40eb4a 15335->15337 15336->15292 15338 40eae4 2 API calls 15337->15338 15338->15336 15340 40dd96 15339->15340 15341 40ddc5 15339->15341 15340->15341 15342 40ddad lstrcmpiA 15340->15342 15341->15328 15341->15329 15342->15340 15342->15341 15344 40de20 15343->15344 15345 40dddd 15343->15345 15344->15331 15345->15344 15346 40ddfa lstrcmpA 15345->15346 15346->15345 15348 40dd05 6 API calls 15347->15348 15349 40e821 15348->15349 15350 40dd84 lstrcmpiA 15349->15350 15351 40e82c 15350->15351 15352 40e844 15351->15352 15392 402480 15351->15392 15352->14893 15355 40dd05 6 API calls 15354->15355 15356 40df7c 15355->15356 15357 40dd84 lstrcmpiA 15356->15357 15361 40df89 15357->15361 15358 40dfc4 15358->14899 15359 40ddcf lstrcmpA 15359->15361 15360 40ec2e codecvt 4 API calls 15360->15361 15361->15358 15361->15359 15361->15360 15362 40dd84 lstrcmpiA 15361->15362 15362->15361 15364 40ea98 15363->15364 15401 40e8a1 15364->15401 15366 401e84 15366->14902 15368 4019d5 GetProcAddress GetProcAddress GetProcAddress 15367->15368 15371 4019ce 15367->15371 15369 401ab3 FreeLibrary 15368->15369 15370 401a04 15368->15370 15369->15371 15370->15369 15372 401a14 GetProcessHeap 15370->15372 15371->14906 15372->15371 15375 401a2e 15372->15375 15374 401aa1 FreeLibrary 15374->15371 15375->15371 15375->15374 15376 401a96 HeapFree 15375->15376 15376->15374 15429 401ac3 LoadLibraryA 15377->15429 15380 401bcf 15380->14918 15382 401ac3 10 API calls 15381->15382 15383 401c09 15382->15383 15384 401c0d GetComputerNameA 15383->15384 15387 401c41 15383->15387 15385 401c45 GetVolumeInformationA 15384->15385 15386 401c1f 15384->15386 15385->15387 15386->15385 15386->15387 15387->14925 15389 40ee2a 15388->15389 15390 4030d0 gethostname gethostbyname 15389->15390 15391 401f82 15390->15391 15391->14930 15391->14932 15395 402419 lstrlenA 15392->15395 15394 402491 15394->15352 15396 402474 15395->15396 15397 40243d lstrlenA 15395->15397 15396->15394 15398 402464 lstrlenA 15397->15398 15399 40244e lstrcmpiA 15397->15399 15398->15396 15398->15397 15399->15398 15400 40245c 15399->15400 15400->15396 15400->15398 15402 40dd05 6 API calls 15401->15402 15403 40e8b4 15402->15403 15404 40dd84 lstrcmpiA 15403->15404 15405 40e8c0 15404->15405 15406 40e90a 15405->15406 15407 40e8c8 lstrcpynA 15405->15407 15409 402419 4 API calls 15406->15409 15417 40ea27 15406->15417 15408 40e8f5 15407->15408 15422 40df4c 15408->15422 15410 40e926 lstrlenA lstrlenA 15409->15410 15412 40e96a 15410->15412 15413 40e94c lstrlenA 15410->15413 15416 40ebcc 3 API calls 15412->15416 15412->15417 15413->15412 15414 40e901 15415 40dd84 lstrcmpiA 15414->15415 15415->15406 15418 40e98f 15416->15418 15417->15366 15418->15417 15419 40df4c 18 API calls 15418->15419 15420 40ea1e 15419->15420 15421 40ec2e codecvt 4 API calls 15420->15421 15421->15417 15423 40dd05 6 API calls 15422->15423 15424 40df51 15423->15424 15425 40f04e 4 API calls 15424->15425 15426 40df58 15425->15426 15427 40de24 8 API calls 15426->15427 15428 40df63 15427->15428 15428->15414 15430 401ae2 GetProcAddress 15429->15430 15435 401b68 GetComputerNameA GetVolumeInformationA 15429->15435 15431 401af5 15430->15431 15430->15435 15432 40ebed 6 API calls 15431->15432 15433 401b29 15431->15433 15432->15431 15433->15433 15434 40ec2e codecvt 4 API calls 15433->15434 15433->15435 15434->15435 15435->15380 15437 406ec3 2 API calls 15436->15437 15438 407ef4 15437->15438 15439 4073ff 17 API calls 15438->15439 15448 407fc9 15438->15448 15440 407f16 15439->15440 15440->15448 15449 407809 GetUserNameA 15440->15449 15442 407f63 15443 40ef1e lstrlenA 15442->15443 15442->15448 15444 407fa6 15443->15444 15445 40ef1e lstrlenA 15444->15445 15446 407fb7 15445->15446 15473 407a95 RegOpenKeyExA 15446->15473 15448->14944 15450 40783d LookupAccountNameA 15449->15450 15451 407a8d 15449->15451 15450->15451 15452 407874 GetLengthSid GetFileSecurityA 15450->15452 15451->15442 15452->15451 15453 4078a8 GetSecurityDescriptorOwner 15452->15453 15454 4078c5 EqualSid 15453->15454 15455 40791d GetSecurityDescriptorDacl 15453->15455 15454->15455 15456 4078dc LocalAlloc 15454->15456 15455->15451 15463 407941 15455->15463 15456->15455 15457 4078ef InitializeSecurityDescriptor 15456->15457 15459 407916 LocalFree 15457->15459 15460 4078fb SetSecurityDescriptorOwner 15457->15460 15458 40795b GetAce 15458->15463 15459->15455 15460->15459 15461 40790b SetFileSecurityA 15460->15461 15461->15459 15462 407980 EqualSid 15462->15463 15463->15451 15463->15458 15463->15462 15464 407a3d 15463->15464 15465 4079be EqualSid 15463->15465 15466 40799d DeleteAce 15463->15466 15464->15451 15467 407a43 LocalAlloc 15464->15467 15465->15463 15466->15463 15467->15451 15468 407a56 InitializeSecurityDescriptor 15467->15468 15469 407a62 SetSecurityDescriptorDacl 15468->15469 15470 407a86 LocalFree 15468->15470 15469->15470 15471 407a73 SetFileSecurityA 15469->15471 15470->15451 15471->15470 15472 407a83 15471->15472 15472->15470 15474 407ac4 15473->15474 15475 407acb GetUserNameA 15473->15475 15474->15448 15476 407da7 RegCloseKey 15475->15476 15477 407aed LookupAccountNameA 15475->15477 15476->15474 15477->15476 15478 407b24 RegGetKeySecurity 15477->15478 15478->15476 15479 407b49 GetSecurityDescriptorOwner 15478->15479 15480 407b63 EqualSid 15479->15480 15481 407bb8 GetSecurityDescriptorDacl 15479->15481 15480->15481 15482 407b74 LocalAlloc 15480->15482 15483 407da6 15481->15483 15490 407bdc 15481->15490 15482->15481 15484 407b8a InitializeSecurityDescriptor 15482->15484 15483->15476 15485 407bb1 LocalFree 15484->15485 15486 407b96 SetSecurityDescriptorOwner 15484->15486 15485->15481 15486->15485 15488 407ba6 RegSetKeySecurity 15486->15488 15487 407bf8 GetAce 15487->15490 15488->15485 15489 407c1d EqualSid 15489->15490 15490->15483 15490->15487 15490->15489 15491 407c5f EqualSid 15490->15491 15492 407cd9 15490->15492 15493 407c3a DeleteAce 15490->15493 15491->15490 15492->15483 15494 407d5a LocalAlloc 15492->15494 15495 407cf2 RegOpenKeyExA 15492->15495 15493->15490 15494->15483 15496 407d70 InitializeSecurityDescriptor 15494->15496 15495->15494 15500 407d0f 15495->15500 15497 407d7c SetSecurityDescriptorDacl 15496->15497 15498 407d9f LocalFree 15496->15498 15497->15498 15499 407d8c RegSetKeySecurity 15497->15499 15498->15483 15499->15498 15501 407d9c 15499->15501 15502 407d43 RegSetValueExA 15500->15502 15501->15498 15502->15494 15503 407d54 15502->15503 15503->15494 15504->14961 15506 40dd05 6 API calls 15505->15506 15507 40e65f 15506->15507 15508 40e6a5 15507->15508 15510 40e68c lstrcmpA 15507->15510 15509 40ebcc 3 API calls 15508->15509 15512 40e6f5 15508->15512 15511 40e6b0 15509->15511 15510->15507 15511->15512 15514 40e6b7 15511->15514 15515 40e6e0 lstrcpynA 15511->15515 15513 40e71d lstrcmpA 15512->15513 15512->15514 15513->15512 15514->14962 15515->15512 15516->14968 15518 40c525 15517->15518 15519 40c532 15517->15519 15518->15519 15522 40ec2e codecvt 4 API calls 15518->15522 15520 40c548 15519->15520 15669 40e7ff 15519->15669 15523 40e7ff lstrcmpiA 15520->15523 15529 40c54f 15520->15529 15522->15519 15524 40c615 15523->15524 15525 40ebcc 3 API calls 15524->15525 15524->15529 15525->15529 15526 40c5d1 15528 40ebcc 3 API calls 15526->15528 15528->15529 15529->14981 15530 40e819 11 API calls 15531 40c5b7 15530->15531 15532 40f04e 4 API calls 15531->15532 15533 40c5bf 15532->15533 15533->15520 15533->15526 15535 402692 inet_addr 15534->15535 15536 40268e 15534->15536 15535->15536 15537 40269e gethostbyname 15535->15537 15538 40f428 15536->15538 15537->15536 15672 40f315 15538->15672 15543 40c8d2 15541->15543 15542 40c907 15542->14983 15543->15542 15544 40c517 22 API calls 15543->15544 15544->15542 15545 40f43e 15546 40f473 recv 15545->15546 15547 40f458 15546->15547 15548 40f47c 15546->15548 15547->15546 15547->15548 15548->14999 15550 40c670 15549->15550 15551 40c67d 15549->15551 15552 40ebcc 3 API calls 15550->15552 15553 40ebcc 3 API calls 15551->15553 15554 40c699 15551->15554 15552->15551 15553->15554 15555 40c6f3 15554->15555 15556 40c73c send 15554->15556 15555->15012 15555->15043 15556->15555 15558 40c770 15557->15558 15559 40c77d 15557->15559 15560 40ebcc 3 API calls 15558->15560 15561 40c799 15559->15561 15562 40ebcc 3 API calls 15559->15562 15560->15559 15563 40c7b5 15561->15563 15564 40ebcc 3 API calls 15561->15564 15562->15561 15565 40f43e recv 15563->15565 15564->15563 15566 40c7cb 15565->15566 15567 40f43e recv 15566->15567 15568 40c7d3 15566->15568 15567->15568 15568->15043 15685 407db7 15569->15685 15572 407e70 15574 407e96 15572->15574 15576 40f04e 4 API calls 15572->15576 15573 40f04e 4 API calls 15575 407e4c 15573->15575 15574->15043 15575->15572 15577 40f04e 4 API calls 15575->15577 15576->15574 15577->15572 15579 406ec3 2 API calls 15578->15579 15580 407fdd 15579->15580 15581 4073ff 17 API calls 15580->15581 15590 4080c2 CreateProcessA 15580->15590 15582 407fff 15581->15582 15583 407809 21 API calls 15582->15583 15582->15590 15584 40804d 15583->15584 15585 40ef1e lstrlenA 15584->15585 15584->15590 15586 40809e 15585->15586 15587 40ef1e lstrlenA 15586->15587 15588 4080af 15587->15588 15589 407a95 24 API calls 15588->15589 15589->15590 15590->15065 15590->15066 15592 407db7 2 API calls 15591->15592 15593 407eb8 15592->15593 15594 40f04e 4 API calls 15593->15594 15595 407ece DeleteFileA 15594->15595 15595->15043 15597 40dd05 6 API calls 15596->15597 15598 40e31d 15597->15598 15689 40e177 15598->15689 15600 40e326 15600->15036 15602 4031f3 15601->15602 15612 4031ec 15601->15612 15603 40ebcc 3 API calls 15602->15603 15617 4031fc 15603->15617 15604 40344b 15605 403459 15604->15605 15606 40349d 15604->15606 15608 40f04e 4 API calls 15605->15608 15607 40ec2e codecvt 4 API calls 15606->15607 15607->15612 15609 40345f 15608->15609 15610 4030fa 4 API calls 15609->15610 15610->15612 15611 40ebcc GetProcessHeap HeapSize GetProcessHeap 15611->15617 15612->15043 15613 40344d 15614 40ec2e codecvt 4 API calls 15613->15614 15614->15604 15616 403141 lstrcmpiA 15616->15617 15617->15604 15617->15611 15617->15612 15617->15613 15617->15616 15715 4030fa GetTickCount 15617->15715 15619 4030fa 4 API calls 15618->15619 15620 403c1a 15619->15620 15621 403ce6 15620->15621 15720 403a72 15620->15720 15621->15043 15624 403a72 9 API calls 15625 403c5e 15624->15625 15625->15621 15626 403a72 9 API calls 15625->15626 15627 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15625->15627 15626->15625 15627->15625 15629 403a10 15628->15629 15630 4030fa 4 API calls 15629->15630 15631 403a1a 15630->15631 15631->15043 15633 40dd05 6 API calls 15632->15633 15634 40e7be 15633->15634 15634->15043 15636 40c105 15635->15636 15637 40c07e wsprintfA 15635->15637 15636->15043 15729 40bfce GetTickCount wsprintfA 15637->15729 15639 40c0ef 15730 40bfce GetTickCount wsprintfA 15639->15730 15642 407047 15641->15642 15643 406f88 15641->15643 15642->15043 15643->15643 15644 406f94 LookupAccountNameA 15643->15644 15645 407025 15644->15645 15646 406fcb 15644->15646 15647 406edd 5 API calls 15645->15647 15648 406fdb ConvertSidToStringSidA 15646->15648 15649 40702a wsprintfA 15647->15649 15648->15645 15650 406ff1 15648->15650 15649->15642 15651 407013 LocalFree 15650->15651 15651->15645 15653 40dd05 6 API calls 15652->15653 15654 40e85c 15653->15654 15655 40dd84 lstrcmpiA 15654->15655 15656 40e867 15655->15656 15657 40e885 lstrcpyA 15656->15657 15731 4024a5 15656->15731 15734 40dd69 15657->15734 15663 407db7 2 API calls 15662->15663 15664 407de1 15663->15664 15665 40f04e 4 API calls 15664->15665 15668 407e16 15664->15668 15666 407df2 15665->15666 15667 40f04e 4 API calls 15666->15667 15666->15668 15667->15668 15668->15043 15670 40dd84 lstrcmpiA 15669->15670 15671 40c58e 15670->15671 15671->15520 15671->15526 15671->15530 15673 40ca1d 15672->15673 15674 40f33b 15672->15674 15673->14996 15673->15545 15675 40f347 htons socket 15674->15675 15676 40f382 ioctlsocket 15675->15676 15677 40f374 closesocket 15675->15677 15678 40f3aa connect select 15676->15678 15679 40f39d 15676->15679 15677->15673 15678->15673 15681 40f3f2 __WSAFDIsSet 15678->15681 15680 40f39f closesocket 15679->15680 15680->15673 15681->15680 15682 40f403 ioctlsocket 15681->15682 15684 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15682->15684 15684->15673 15686 407dc8 InterlockedExchange 15685->15686 15687 407dc0 Sleep 15686->15687 15688 407dd4 15686->15688 15687->15686 15688->15572 15688->15573 15690 40e184 15689->15690 15691 40e2e4 15690->15691 15692 40e223 15690->15692 15705 40dfe2 15690->15705 15691->15600 15692->15691 15694 40dfe2 6 API calls 15692->15694 15699 40e23c 15694->15699 15695 40e1be 15695->15692 15696 40dbcf 3 API calls 15695->15696 15698 40e1d6 15696->15698 15697 40e21a CloseHandle 15697->15692 15698->15692 15698->15697 15700 40e1f9 WriteFile 15698->15700 15699->15691 15709 40e095 RegCreateKeyExA 15699->15709 15700->15697 15702 40e213 15700->15702 15702->15697 15703 40e2a3 15703->15691 15704 40e095 4 API calls 15703->15704 15704->15691 15706 40e024 15705->15706 15707 40dffc 15705->15707 15706->15695 15707->15706 15708 40db2e 6 API calls 15707->15708 15708->15706 15710 40e172 15709->15710 15712 40e0c0 15709->15712 15710->15703 15711 40e13d 15713 40e14e RegDeleteValueA RegCloseKey 15711->15713 15712->15711 15714 40e115 RegSetValueExA 15712->15714 15713->15710 15714->15711 15714->15712 15716 403122 InterlockedExchange 15715->15716 15717 40312e 15716->15717 15718 40310f GetTickCount 15716->15718 15717->15617 15718->15717 15719 40311a Sleep 15718->15719 15719->15716 15721 40f04e 4 API calls 15720->15721 15722 403a83 15721->15722 15724 403bc0 15722->15724 15727 403b66 lstrlenA 15722->15727 15728 403ac1 15722->15728 15723 403be6 15725 40ec2e codecvt 4 API calls 15723->15725 15724->15723 15726 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15724->15726 15725->15728 15726->15724 15727->15722 15727->15728 15728->15621 15728->15624 15729->15639 15730->15636 15732 402419 4 API calls 15731->15732 15733 4024b6 15732->15733 15733->15657 15735 40dd79 lstrlenA 15734->15735 15735->15043 15737 404084 15736->15737 15738 40407d 15736->15738 15739 403ecd 6 API calls 15737->15739 15740 40408f 15739->15740 15741 404000 3 API calls 15740->15741 15742 404095 15741->15742 15743 404130 15742->15743 15748 403f18 4 API calls 15742->15748 15744 403ecd 6 API calls 15743->15744 15745 404159 CreateNamedPipeA 15744->15745 15746 404167 Sleep 15745->15746 15747 404188 ConnectNamedPipe 15745->15747 15746->15743 15749 404176 CloseHandle 15746->15749 15751 404195 GetLastError 15747->15751 15761 4041ab 15747->15761 15750 4040da 15748->15750 15749->15747 15752 403f8c 4 API calls 15750->15752 15753 40425e DisconnectNamedPipe 15751->15753 15751->15761 15754 4040ec 15752->15754 15753->15747 15755 404127 CloseHandle 15754->15755 15756 404101 15754->15756 15755->15743 15757 403f18 4 API calls 15756->15757 15758 40411c ExitProcess 15757->15758 15759 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15759->15761 15760 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15760->15761 15761->15747 15761->15753 15761->15759 15761->15760 15762 40426a CloseHandle CloseHandle 15761->15762 15763 40e318 21 API calls 15762->15763 15764 40427b 15763->15764 15764->15764 15766 408791 15765->15766 15768 40879f 15765->15768 15767 40f04e 4 API calls 15766->15767 15767->15768 15769 40f04e 4 API calls 15768->15769 15771 4087bc 15768->15771 15769->15771 15770 40e819 11 API calls 15772 4087d7 15770->15772 15771->15770 15785 408803 15772->15785 15787 4026b2 gethostbyaddr 15772->15787 15775 4087eb 15777 40e8a1 28 API calls 15775->15777 15775->15785 15777->15785 15780 40e819 11 API calls 15780->15785 15781 4088a0 Sleep 15781->15785 15782 4026b2 2 API calls 15782->15785 15783 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15783->15785 15785->15780 15785->15781 15785->15782 15785->15783 15786 40e8a1 28 API calls 15785->15786 15792 408cee 15785->15792 15800 40c4d6 15785->15800 15803 40c4e2 15785->15803 15806 402011 15785->15806 15841 408328 15785->15841 15786->15785 15788 4026fb 15787->15788 15789 4026cd 15787->15789 15788->15775 15790 4026e1 inet_ntoa 15789->15790 15791 4026de 15789->15791 15790->15791 15791->15775 15793 408d02 GetTickCount 15792->15793 15794 408dae 15792->15794 15793->15794 15797 408d19 15793->15797 15794->15785 15795 408da1 GetTickCount 15795->15794 15797->15795 15799 408d89 15797->15799 15893 40a677 15797->15893 15896 40a688 15797->15896 15799->15795 15904 40c2dc 15800->15904 15804 40c2dc 138 API calls 15803->15804 15805 40c4ec 15804->15805 15805->15785 15807 402020 15806->15807 15808 40202e 15806->15808 15810 40f04e 4 API calls 15807->15810 15809 40204b 15808->15809 15811 40f04e 4 API calls 15808->15811 15812 40206e GetTickCount 15809->15812 15813 40f04e 4 API calls 15809->15813 15810->15808 15811->15809 15814 4020db GetTickCount 15812->15814 15824 402090 15812->15824 15817 402068 15813->15817 15815 402132 GetTickCount GetTickCount 15814->15815 15816 4020e7 15814->15816 15819 40f04e 4 API calls 15815->15819 15820 40212b GetTickCount 15816->15820 15832 401978 15 API calls 15816->15832 15837 402125 15816->15837 16236 402ef8 15816->16236 15817->15812 15818 4020d4 GetTickCount 15818->15814 15821 402159 15819->15821 15820->15815 15826 40e854 13 API calls 15821->15826 15835 4021b4 15821->15835 15822 402684 2 API calls 15822->15824 15824->15818 15824->15822 15829 4020ce 15824->15829 16231 401978 15824->16231 15825 40f04e 4 API calls 15828 4021d1 15825->15828 15830 40218e 15826->15830 15833 40ea84 28 API calls 15828->15833 15839 4021f2 15828->15839 15829->15818 15831 40e819 11 API calls 15830->15831 15836 40219c 15831->15836 15832->15816 15834 4021ec 15833->15834 15838 40f04e 4 API calls 15834->15838 15835->15825 15836->15835 16244 401c5f 15836->16244 15837->15820 15838->15839 15839->15785 15842 407dd6 6 API calls 15841->15842 15843 40833c 15842->15843 15844 406ec3 2 API calls 15843->15844 15871 408340 15843->15871 15845 40834f 15844->15845 15846 40835c 15845->15846 15849 40846b 15845->15849 15847 4073ff 17 API calls 15846->15847 15868 408373 15847->15868 15848 4085df 15850 408626 GetTempPathA 15848->15850 15859 408762 15848->15859 15867 408638 15848->15867 15852 4084a7 RegOpenKeyExA 15849->15852 15863 408450 15849->15863 15850->15867 15851 40675c 20 API calls 15851->15848 15854 4084c0 RegQueryValueExA 15852->15854 15855 40852f 15852->15855 15857 408521 RegCloseKey 15854->15857 15858 4084dd 15854->15858 15860 408564 RegOpenKeyExA 15855->15860 15874 4085a5 15855->15874 15856 4086ad 15856->15859 15861 407e2f 6 API calls 15856->15861 15857->15855 15858->15857 15864 40ebcc 3 API calls 15858->15864 15866 40ec2e codecvt 4 API calls 15859->15866 15859->15871 15862 408573 RegSetValueExA RegCloseKey 15860->15862 15860->15874 15875 4086bb 15861->15875 15862->15874 15863->15848 15863->15851 15870 4084f0 15864->15870 15865 40875b DeleteFileA 15865->15859 15866->15871 16317 406ba7 IsBadCodePtr 15867->16317 15868->15863 15868->15871 15872 4083ea RegOpenKeyExA 15868->15872 15870->15857 15873 4084f8 RegQueryValueExA 15870->15873 15871->15785 15872->15863 15876 4083fd RegQueryValueExA 15872->15876 15873->15857 15877 408515 15873->15877 15874->15863 15878 40ec2e codecvt 4 API calls 15874->15878 15875->15865 15879 4086e0 lstrcpyA lstrlenA 15875->15879 15880 40842d RegSetValueExA 15876->15880 15883 40841e 15876->15883 15881 40ec2e codecvt 4 API calls 15877->15881 15878->15863 15882 407fcf 64 API calls 15879->15882 15884 408447 RegCloseKey 15880->15884 15885 40851d 15881->15885 15886 408719 CreateProcessA 15882->15886 15883->15880 15883->15884 15884->15863 15885->15857 15887 40873d CloseHandle CloseHandle 15886->15887 15888 40874f 15886->15888 15887->15859 15889 407ee6 64 API calls 15888->15889 15890 408754 15889->15890 15891 407ead 6 API calls 15890->15891 15892 40875a 15891->15892 15892->15865 15899 40a63d 15893->15899 15895 40a685 15895->15797 15897 40a63d GetTickCount 15896->15897 15898 40a696 15897->15898 15898->15797 15900 40a645 15899->15900 15901 40a64d 15899->15901 15900->15895 15902 40a66e 15901->15902 15903 40a65e GetTickCount 15901->15903 15902->15895 15903->15902 15920 40a4c7 GetTickCount 15904->15920 15907 40c300 GetTickCount 15909 40c337 15907->15909 15908 40c326 15908->15909 15910 40c32b GetTickCount 15908->15910 15914 40c363 GetTickCount 15909->15914 15919 40c45e 15909->15919 15910->15909 15911 40c4d2 15911->15785 15912 40c4ab InterlockedIncrement CreateThread 15912->15911 15913 40c4cb CloseHandle 15912->15913 15925 40b535 15912->15925 15913->15911 15915 40c373 15914->15915 15914->15919 15916 40c378 GetTickCount 15915->15916 15917 40c37f 15915->15917 15916->15917 15918 40c43b GetTickCount 15917->15918 15918->15919 15919->15911 15919->15912 15921 40a4f7 InterlockedExchange 15920->15921 15922 40a500 15921->15922 15923 40a4e4 GetTickCount 15921->15923 15922->15907 15922->15908 15922->15919 15923->15922 15924 40a4ef Sleep 15923->15924 15924->15921 15926 40b566 15925->15926 15927 40ebcc 3 API calls 15926->15927 15928 40b587 15927->15928 15929 40ebcc 3 API calls 15928->15929 15980 40b590 15929->15980 15930 40bdcd InterlockedDecrement 15931 40bde2 15930->15931 15933 40ec2e codecvt 4 API calls 15931->15933 15934 40bdea 15933->15934 15936 40ec2e codecvt 4 API calls 15934->15936 15935 40bdb7 Sleep 15935->15980 15937 40bdf2 15936->15937 15939 40be05 15937->15939 15940 40ec2e codecvt 4 API calls 15937->15940 15938 40bdcc 15938->15930 15940->15939 15941 40ebed 6 API calls 15941->15980 15944 40b6b6 lstrlenA 15944->15980 15945 4030b5 2 API calls 15945->15980 15946 40e819 11 API calls 15946->15980 15947 40b6ed lstrcpyA 16000 405ce1 15947->16000 15950 40b731 lstrlenA 15950->15980 15951 40b71f lstrcmpA 15951->15950 15951->15980 15952 40b772 GetTickCount 15952->15980 15953 40bd49 InterlockedIncrement 16094 40a628 15953->16094 15956 40b7ce InterlockedIncrement 16010 40acd7 15956->16010 15957 40bc5b InterlockedIncrement 15957->15980 15960 40b912 GetTickCount 15960->15980 15961 40b932 GetTickCount 15964 40bc6d InterlockedIncrement 15961->15964 15961->15980 15962 40bcdc closesocket 15962->15980 15963 40b826 InterlockedIncrement 15963->15952 15964->15980 15965 405ce1 20 API calls 15965->15980 15966 4038f0 6 API calls 15966->15980 15968 40bba6 InterlockedIncrement 15968->15980 15971 40bc4c closesocket 15971->15980 15973 40ba71 wsprintfA 16028 40a7c1 15973->16028 15974 405ded 10 API calls 15974->15980 15977 40ab81 lstrcpynA InterlockedIncrement 15977->15980 15978 40a7c1 22 API calls 15978->15980 15979 40ef1e lstrlenA 15979->15980 15980->15930 15980->15935 15980->15938 15980->15941 15980->15944 15980->15945 15980->15946 15980->15947 15980->15950 15980->15951 15980->15952 15980->15953 15980->15956 15980->15957 15980->15960 15980->15961 15980->15962 15980->15963 15980->15965 15980->15966 15980->15968 15980->15971 15980->15973 15980->15974 15980->15977 15980->15978 15980->15979 15981 40a688 GetTickCount 15980->15981 15982 403e10 15980->15982 15985 403e4f 15980->15985 15988 40384f 15980->15988 16008 40a7a3 inet_ntoa 15980->16008 16015 40abee 15980->16015 16027 401feb GetTickCount 15980->16027 16048 403cfb 15980->16048 16051 40b3c5 15980->16051 16082 40ab81 15980->16082 15981->15980 15983 4030fa 4 API calls 15982->15983 15984 403e1d 15983->15984 15984->15980 15986 4030fa 4 API calls 15985->15986 15987 403e5c 15986->15987 15987->15980 15989 4030fa 4 API calls 15988->15989 15990 403863 15989->15990 15991 4038b9 15990->15991 15992 403889 15990->15992 15999 4038b2 15990->15999 16103 4035f9 15991->16103 16097 403718 15992->16097 15997 403718 6 API calls 15997->15999 15998 4035f9 6 API calls 15998->15999 15999->15980 16001 405cf4 16000->16001 16002 405cec 16000->16002 16004 404bd1 4 API calls 16001->16004 16109 404bd1 GetTickCount 16002->16109 16005 405d02 16004->16005 16114 405472 16005->16114 16009 40a7b9 16008->16009 16009->15980 16011 40f315 14 API calls 16010->16011 16012 40aceb 16011->16012 16013 40f315 14 API calls 16012->16013 16014 40acff 16012->16014 16013->16014 16014->15980 16016 40abfb 16015->16016 16019 40ac65 16016->16019 16177 402f22 16016->16177 16018 40f315 14 API calls 16018->16019 16019->16018 16020 40ac6f 16019->16020 16026 40ac8a 16019->16026 16021 40ab81 2 API calls 16020->16021 16022 40ac81 16021->16022 16185 4038f0 16022->16185 16023 402684 2 API calls 16024 40ac23 16023->16024 16024->16019 16024->16023 16026->15980 16027->15980 16029 40a87d lstrlenA send 16028->16029 16030 40a7df 16028->16030 16031 40a899 16029->16031 16032 40a8bf 16029->16032 16030->16029 16037 40a7fa wsprintfA 16030->16037 16039 40a80a 16030->16039 16041 40a8f2 16030->16041 16033 40a8a5 wsprintfA 16031->16033 16047 40a89e 16031->16047 16034 40a8c4 send 16032->16034 16032->16041 16033->16047 16036 40a8d8 wsprintfA 16034->16036 16034->16041 16035 40a978 recv 16040 40a982 16035->16040 16035->16041 16036->16047 16037->16039 16038 40a9b0 wsprintfA 16038->16047 16039->16029 16042 4030b5 2 API calls 16040->16042 16040->16047 16041->16035 16041->16038 16041->16040 16043 40ab05 16042->16043 16044 40e819 11 API calls 16043->16044 16045 40ab17 16044->16045 16046 40a7a3 inet_ntoa 16045->16046 16046->16047 16047->15980 16049 4030fa 4 API calls 16048->16049 16050 403d0b 16049->16050 16050->15980 16052 405ce1 20 API calls 16051->16052 16053 40b3e6 16052->16053 16054 405ce1 20 API calls 16053->16054 16055 40b404 16054->16055 16056 40b440 16055->16056 16058 40ef7c 3 API calls 16055->16058 16057 40ef7c 3 API calls 16056->16057 16059 40b458 wsprintfA 16057->16059 16060 40b42b 16058->16060 16061 40ef7c 3 API calls 16059->16061 16062 40ef7c 3 API calls 16060->16062 16063 40b480 16061->16063 16062->16056 16064 40ef7c 3 API calls 16063->16064 16065 40b493 16064->16065 16066 40ef7c 3 API calls 16065->16066 16067 40b4bb 16066->16067 16199 40ad89 GetLocalTime SystemTimeToFileTime 16067->16199 16071 40b4cc 16072 40ef7c 3 API calls 16071->16072 16073 40b4dd 16072->16073 16074 40b211 7 API calls 16073->16074 16075 40b4ec 16074->16075 16076 40ef7c 3 API calls 16075->16076 16077 40b4fd 16076->16077 16078 40b211 7 API calls 16077->16078 16079 40b509 16078->16079 16080 40ef7c 3 API calls 16079->16080 16081 40b51a 16080->16081 16081->15980 16083 40ab8c 16082->16083 16085 40abe9 GetTickCount 16082->16085 16084 40aba8 lstrcpynA 16083->16084 16083->16085 16086 40abe1 InterlockedIncrement 16083->16086 16084->16083 16087 40a51d 16085->16087 16086->16083 16088 40a4c7 4 API calls 16087->16088 16089 40a52c 16088->16089 16090 40a542 GetTickCount 16089->16090 16092 40a539 GetTickCount 16089->16092 16090->16092 16093 40a56c 16092->16093 16093->15980 16095 40a4c7 4 API calls 16094->16095 16096 40a633 16095->16096 16096->15980 16098 40f04e 4 API calls 16097->16098 16100 40372a 16098->16100 16099 403847 16099->15997 16099->15999 16100->16099 16101 4037b3 GetCurrentThreadId 16100->16101 16101->16100 16102 4037c8 GetCurrentThreadId 16101->16102 16102->16100 16104 40f04e 4 API calls 16103->16104 16105 40360c 16104->16105 16106 4036da GetCurrentThreadId 16105->16106 16108 4036f1 16105->16108 16107 4036e5 GetCurrentThreadId 16106->16107 16106->16108 16107->16108 16108->15998 16108->15999 16110 404bff InterlockedExchange 16109->16110 16111 404c08 16110->16111 16112 404bec GetTickCount 16110->16112 16111->16001 16112->16111 16113 404bf7 Sleep 16112->16113 16113->16110 16133 404763 16114->16133 16116 405b58 16143 404699 16116->16143 16119 404763 lstrlenA 16120 405b6e 16119->16120 16164 404f9f 16120->16164 16122 405b79 16122->15980 16124 405549 lstrlenA 16131 40548a 16124->16131 16126 40558d lstrcpynA 16126->16131 16127 405a9f lstrcpyA 16127->16131 16128 405935 lstrcpynA 16128->16131 16129 405472 11 API calls 16129->16131 16130 4058e7 lstrcpyA 16130->16131 16131->16116 16131->16126 16131->16127 16131->16128 16131->16129 16131->16130 16132 404ae6 6 API calls 16131->16132 16137 404ae6 16131->16137 16141 40ef7c lstrlenA lstrlenA lstrlenA 16131->16141 16132->16131 16134 40477a 16133->16134 16135 404859 16134->16135 16136 40480d lstrlenA 16134->16136 16135->16131 16136->16134 16138 404af3 16137->16138 16140 404b03 16137->16140 16139 40ebed 6 API calls 16138->16139 16139->16140 16140->16124 16142 40efb4 16141->16142 16142->16131 16169 4045b3 16143->16169 16146 4045b3 6 API calls 16147 4046c6 16146->16147 16148 4045b3 6 API calls 16147->16148 16149 4046d8 16148->16149 16150 4045b3 6 API calls 16149->16150 16151 4046ea 16150->16151 16152 4045b3 6 API calls 16151->16152 16153 4046ff 16152->16153 16154 4045b3 6 API calls 16153->16154 16155 404711 16154->16155 16156 4045b3 6 API calls 16155->16156 16157 404723 16156->16157 16158 40ef7c 3 API calls 16157->16158 16159 404735 16158->16159 16160 40ef7c 3 API calls 16159->16160 16161 40474a 16160->16161 16162 40ef7c 3 API calls 16161->16162 16163 40475c 16162->16163 16163->16119 16165 404fb0 16164->16165 16166 404fac 16164->16166 16167 404ffd 16165->16167 16168 404fd5 IsBadCodePtr 16165->16168 16166->16122 16167->16122 16168->16165 16170 4045c1 16169->16170 16172 4045c8 16169->16172 16171 40ebcc 3 API calls 16170->16171 16171->16172 16173 40ebcc 3 API calls 16172->16173 16175 4045e1 16172->16175 16173->16175 16174 404691 16174->16146 16175->16174 16176 40ef7c 3 API calls 16175->16176 16176->16175 16192 402d21 GetModuleHandleA 16177->16192 16180 402fcf GetProcessHeap HeapFree 16184 402f44 16180->16184 16181 402f4f 16183 402f6b GetProcessHeap HeapFree 16181->16183 16182 402f85 16182->16180 16182->16182 16183->16184 16184->16024 16186 403900 16185->16186 16191 403980 16185->16191 16187 4030fa 4 API calls 16186->16187 16188 40390a 16187->16188 16189 40391b GetCurrentThreadId 16188->16189 16190 403939 GetCurrentThreadId 16188->16190 16188->16191 16189->16188 16190->16188 16191->16026 16193 402d46 LoadLibraryA 16192->16193 16194 402d5b GetProcAddress 16192->16194 16193->16194 16196 402d54 16193->16196 16194->16196 16198 402d6b 16194->16198 16195 402d97 GetProcessHeap 16195->16198 16196->16181 16196->16182 16196->16184 16197 402db5 lstrcpynA 16197->16198 16198->16195 16198->16196 16198->16197 16200 40adbf 16199->16200 16224 40ad08 gethostname 16200->16224 16203 4030b5 2 API calls 16204 40add3 16203->16204 16205 40a7a3 inet_ntoa 16204->16205 16212 40ade4 16204->16212 16205->16212 16206 40ae85 wsprintfA 16207 40ef7c 3 API calls 16206->16207 16209 40aebb 16207->16209 16208 40ae36 wsprintfA wsprintfA 16210 40ef7c 3 API calls 16208->16210 16211 40ef7c 3 API calls 16209->16211 16210->16212 16213 40aed2 16211->16213 16212->16206 16212->16208 16214 40b211 16213->16214 16215 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16214->16215 16216 40b2af GetLocalTime 16214->16216 16217 40b2d2 16215->16217 16216->16217 16218 40b2d9 SystemTimeToFileTime 16217->16218 16219 40b31c GetTimeZoneInformation 16217->16219 16220 40b2ec 16218->16220 16221 40b33a wsprintfA 16219->16221 16222 40b312 FileTimeToSystemTime 16220->16222 16221->16071 16222->16219 16225 40ad71 16224->16225 16230 40ad26 lstrlenA 16224->16230 16227 40ad85 16225->16227 16228 40ad79 lstrcpyA 16225->16228 16227->16203 16228->16227 16229 40ad68 lstrlenA 16229->16225 16230->16225 16230->16229 16232 40f428 14 API calls 16231->16232 16233 40198a 16232->16233 16234 401990 closesocket 16233->16234 16235 401998 16233->16235 16234->16235 16235->15824 16237 402d21 5 API calls 16236->16237 16238 402f01 16237->16238 16239 402f0f 16238->16239 16252 402df2 GetModuleHandleA 16238->16252 16241 402684 2 API calls 16239->16241 16243 402f1f 16239->16243 16242 402f1d 16241->16242 16242->15816 16243->15816 16245 401c80 16244->16245 16246 401d1c 16245->16246 16247 401cc2 wsprintfA 16245->16247 16250 401d79 16245->16250 16246->16246 16249 401d47 wsprintfA 16246->16249 16248 402684 2 API calls 16247->16248 16248->16245 16251 402684 2 API calls 16249->16251 16250->15835 16251->16250 16253 402e10 LoadLibraryA 16252->16253 16254 402e0b 16252->16254 16255 402e17 16253->16255 16254->16253 16254->16255 16256 402ef1 16255->16256 16257 402e28 GetProcAddress 16255->16257 16256->16239 16257->16256 16258 402e3e GetProcessHeap 16257->16258 16262 402e55 16258->16262 16259 402ede GetProcessHeap HeapFree 16259->16256 16260 402e7f htons inet_addr 16261 402ea5 gethostbyname 16260->16261 16260->16262 16261->16262 16262->16256 16262->16259 16262->16260 16262->16261 16264 402ceb 16262->16264 16265 402cf2 16264->16265 16267 402d1c 16265->16267 16268 402d0e Sleep 16265->16268 16269 402a62 GetProcessHeap 16265->16269 16267->16262 16268->16265 16268->16267 16270 402a8c 16269->16270 16271 402a92 16270->16271 16272 402a99 socket 16270->16272 16271->16265 16273 402cd3 GetProcessHeap HeapFree 16272->16273 16274 402ab4 16272->16274 16273->16271 16274->16273 16288 402abd 16274->16288 16275 402adb htons 16290 4026ff 16275->16290 16277 402b04 select 16277->16288 16278 402ca4 16279 402cb3 GetProcessHeap HeapFree closesocket 16278->16279 16279->16271 16280 402b3f recv 16280->16288 16281 402b66 htons 16281->16278 16281->16288 16282 402b87 htons 16282->16278 16282->16288 16285 402bf3 GetProcessHeap 16285->16288 16286 402c17 htons 16305 402871 16286->16305 16288->16275 16288->16277 16288->16278 16288->16279 16288->16280 16288->16281 16288->16282 16288->16285 16288->16286 16289 402c4d GetProcessHeap HeapFree 16288->16289 16297 402923 16288->16297 16309 402904 16288->16309 16289->16288 16291 40271d 16290->16291 16292 402717 16290->16292 16294 40272b GetTickCount htons 16291->16294 16293 40ebcc 3 API calls 16292->16293 16293->16291 16295 4027cc htons htons sendto 16294->16295 16296 40278a 16294->16296 16295->16288 16296->16295 16298 402944 16297->16298 16299 40293d 16297->16299 16313 402816 htons 16298->16313 16299->16288 16301 402871 htons 16304 402950 16301->16304 16302 4029bd htons htons htons 16302->16299 16303 4029f6 GetProcessHeap 16302->16303 16303->16304 16304->16299 16304->16301 16304->16302 16306 4028e3 16305->16306 16308 402889 16305->16308 16306->16288 16307 4028c3 htons 16307->16306 16307->16308 16308->16306 16308->16307 16310 402908 16309->16310 16312 402921 16309->16312 16311 402909 GetProcessHeap HeapFree 16310->16311 16311->16311 16311->16312 16312->16288 16314 40286b 16313->16314 16315 402836 16313->16315 16314->16304 16315->16314 16316 40285c htons 16315->16316 16316->16314 16316->16315 16318 406bc0 16317->16318 16319 406bbc 16317->16319 16320 406bd4 16318->16320 16321 40ebcc 3 API calls 16318->16321 16319->15856 16320->15856 16322 406be4 16321->16322 16322->16320 16323 406c07 CreateFileA 16322->16323 16324 406bfc 16322->16324 16325 406c34 WriteFile 16323->16325 16326 406c2a 16323->16326 16327 40ec2e codecvt 4 API calls 16324->16327 16329 406c49 CloseHandle DeleteFileA 16325->16329 16330 406c5a CloseHandle 16325->16330 16328 40ec2e codecvt 4 API calls 16326->16328 16327->16320 16328->16320 16329->16326 16331 40ec2e codecvt 4 API calls 16330->16331 16331->16320 14535 700005 14540 70092b GetPEB 14535->14540 14537 700030 14542 70003c 14537->14542 14541 700972 14540->14541 14541->14537 14543 700049 14542->14543 14557 700e0f SetErrorMode SetErrorMode 14543->14557 14548 700265 14549 7002ce VirtualProtect 14548->14549 14551 70030b 14549->14551 14550 700439 VirtualFree 14554 7004be 14550->14554 14556 7005f4 LoadLibraryA 14550->14556 14551->14550 14552 7004e3 LoadLibraryA 14552->14554 14554->14552 14554->14556 14555 7008c7 14556->14555 14558 700223 14557->14558 14559 700d90 14558->14559 14560 700dad 14559->14560 14561 700dbb GetPEB 14560->14561 14562 700238 VirtualAlloc 14560->14562 14561->14562 14562->14548 14518 404ed3 14523 404c9a 14518->14523 14520 404edb 14521 404eea 14520->14521 14522 401940 GetProcessHeap HeapSize GetProcessHeap HeapFree 14520->14522 14522->14521 14525 404ca9 14523->14525 14526 404cd8 14523->14526 14527 40ec2e 14525->14527 14528 40ec37 14527->14528 14529 40ec4e 14527->14529 14532 40eba0 14528->14532 14529->14526 14533 40eba7 GetProcessHeap HeapSize 14532->14533 14534 40ebbf GetProcessHeap HeapFree 14532->14534 14533->14534 14534->14529 14563 911954 14566 911962 14563->14566 14567 911971 14566->14567 14570 912102 14567->14570 14576 91211d 14570->14576 14571 912126 CreateToolhelp32Snapshot 14572 912142 Module32First 14571->14572 14571->14576 14573 912151 14572->14573 14575 911961 14572->14575 14577 911dc1 14573->14577 14576->14571 14576->14572 14578 911dec 14577->14578 14579 911e35 14578->14579 14580 911dfd VirtualAlloc 14578->14580 14579->14579 14580->14579

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 00409A6B Relevance: 98.8, APIs: 48, Strings: 8, Instructions: 799stringsleepregistryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                                                                                                  • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                                                                                  • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                                                                                  • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                                                                                                • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                                                                                                • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                                                                                                • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                                                                                                • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                                                                                                • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                                                                                                • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                                                                                                • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                                                                                                • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                                                                                                • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040A0B6
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                                                                                                • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                                                                                                • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                                                                                                  • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                                                                                                  • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                                                                                                  • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                                                                                                • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                                                                                                • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                                                                                                                • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                                                                                                                • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                                                                                                • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                                                                                                • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                                                                                                                • API String ID: 2089075347-2824936573
                                                                                                                                                                                • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                                                                                                                • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                                                                                                                • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                                                                                                                • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00409326 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 284registryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 520 4094b9-4094f9 call 402544 RegOpenKeyExA 514->520 521 40962f-409632 514->521 515->514 516 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->516 516->514 531 409502-40952e call 402544 RegQueryValueExA 520->531 532 4094fb-409500 520->532 525 409634-409637 521->525 526 409639-40964a call 401820 525->526 527 40967b-409682 525->527 540 40964c-409662 526->540 541 40966d-409679 526->541 534 409683 call 4091eb 527->534 550 409530-409537 531->550 551 409539-409565 call 402544 RegQueryValueExA 531->551 536 40957a-40957f 532->536 544 409688-409690 534->544 545 409581-409584 536->545 546 40958a-40958d 536->546 548 409664-40966b 540->548 549 40962b-40962d 540->549 541->534 553 409692 544->553 554 409698-4096a0 544->554 545->525 545->546 546->527 547 409593-40959a 546->547 555 40961a-40961f 547->555 556 40959c-4095a1 547->556 548->549 560 4096a2-4096a9 549->560 557 40956e-409577 RegCloseKey 550->557 551->557 566 409567 551->566 553->554 554->560 564 409625 555->564 556->555 561 4095a3-4095c0 call 40f0e4 556->561 557->536 570 4095c2-4095db call 4018e0 561->570 571 40960c-409618 561->571 564->549 566->557 570->560 574 4095e1-4095f9 570->574 571->564 574->560 575 4095ff-409607 574->575 575->560
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                                                                                                • wsprintfA.USER32 ref: 004093CE
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040940C
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040948D
                                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                                                                                                • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                                                                                • String ID: PromptOnSecureDesktop$runas
                                                                                                                                                                                • API String ID: 3696105349-2220793183
                                                                                                                                                                                • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                                                                                                • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                                                                                                                • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                                                                                                • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406A60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 619 406ba3-406ba6 615->619 617 406ac5-406adc call 40eb0e 616->617 618 406b1d-406b27 call 406987 616->618 617->618 626 406ade 617->626 622 406b2c-406b34 618->622 624 406b56-406b63 CloseHandle 622->624 625 406b36-406b54 GetLastError CloseHandle 622->625 628 406b65-406b7d GetLastError CloseHandle 624->628 629 406b86-406b8a 624->629 627 406b7f-406b80 DeleteFileA 625->627 630 406ae0-406ae5 626->630 631 406ae7-406afb call 40eca5 626->631 627->629 628->627 629->619 630->631 632 406afd-406aff 630->632 631->618 632->618 635 406b01 632->635 636 406b03-406b08 635->636 637 406b0a-406b17 call 40eca5 635->637 636->618 636->637 637->618
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,76128A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                                                                                                • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 3188212458-2980165447
                                                                                                                                                                                • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                                • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                                                                                                                • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                                • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040EBCC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13memoryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 768 40ebcc-40ebec GetProcessHeap call 40eb74
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                                                                                                  • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                                                                                                                  • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$Process$AllocateSize
                                                                                                                                                                                • String ID: ]Vw`'Vw
                                                                                                                                                                                • API String ID: 2559512979-147723481
                                                                                                                                                                                • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                                                                                                • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                                                                                                                • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                                                                                                • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                APIs
                                                                                                                                                                                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1209300637-0
                                                                                                                                                                                • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                                                                                • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                                                                                                • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                                                                                • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00912102 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 815 912102-91211b 816 91211d-91211f 815->816 817 912121 816->817 818 912126-912132 CreateToolhelp32Snapshot 816->818 817->818 819 912142-91214f Module32First 818->819 820 912134-91213a 818->820 821 912151-912152 call 911dc1 819->821 822 912158-912160 819->822 820->819 826 91213c-912140 820->826 827 912157 821->827 826->816 826->819 827->822
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0091212A
                                                                                                                                                                                • Module32First.KERNEL32(00000000,00000224), ref: 0091214A
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457392227.000000000090D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_90d000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3833638111-0
                                                                                                                                                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                • Instruction ID: 1434111203bfbd9d8b473af22cf2b88cc631f56857e30327c1cdc8d8f8abed73
                                                                                                                                                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                • Instruction Fuzzy Hash: 5FF0CD32200318BBD7207BF8A88DBEA76ECAF49325F100528E746910C0CB70E8858A60
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004073FF Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 306 4076df-4076e2 297->306 307 407742-407745 RegCloseKey 298->307 308 40774b-40774e 298->308 309 40753f-407544 305->309 306->291 310 4076e4-4076e7 RegCloseKey 306->310 307->308 312 4077ec-4077f7 RegCloseKey 308->312 309->309 311 407546-40754b 309->311 310->291 311->297 313 407551-40756b call 40ee95 311->313 312->287 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 331 4075dc 330->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->312 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->306 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 381 4077e0-4077e2 379->381 382 4077de 379->382 380->379 381->359 382->381
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,761311B0,00000000), ref: 00407472
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,761311B0,00000000), ref: 004074F0
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,761311B0,00000000), ref: 00407528
                                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,761311B0,00000000), ref: 004076E7
                                                                                                                                                                                • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,761311B0,00000000), ref: 00407717
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,761311B0,00000000), ref: 00407745
                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,761311B0,00000000), ref: 004077EF
                                                                                                                                                                                  • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                                                                                • String ID: "$PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 3433985886-3108538426
                                                                                                                                                                                • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                                                                                                • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                                                                                                • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                                                                                                • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040704C Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 332registryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 403 40719b-4071a9 RegEnumValueA 397->403 404 4071cb-4071cf 398->404 405 4070fb-4070fd 403->405 406 4071af-4071b2 RegCloseKey 403->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->403 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 434 407222-407225 432->434 435 407214-407221 call 40ef00 432->435 436 407230-407256 call 40ef00 call 40ed23 433->436 437 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->437 434->404 435->434 436->437 449 407258 436->449 451 4072b8-4072cb call 40ed77 437->451 452 40728e-40729a RegCloseKey 437->452 449->437 459 4072dd-4072f4 call 40ed23 451->459 460 4072cd-4072d8 RegCloseKey 451->460 453 4072aa-4072b3 452->453 454 40729c-4072a9 call 40ef00 452->454 453->404 454->453 463 407301 459->463 464 4072f6-4072ff 459->464 460->404 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 470 40732d-407330 468->470 471 40731f-40732c call 40ef00 468->471 476 4073d5-4073e2 RegCloseKey 469->476 477 40735f-407365 469->477 470->453 471->470 479 4073f2-4073f7 476->479 480 4073e4-4073f1 call 40ef00 476->480 477->476 478 407367-407370 477->478 478->476 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 487 4073a4 483->487 488 4073a6-4073a9 483->488 484->483 486 407397 484->486 486->483 487->488 489 4073b9-4073bc 488->489 490 4073ab-4073b8 call 40ef00 488->490 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->476 493->492
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,761311B0,?,761311B0,00000000), ref: 004070C2
                                                                                                                                                                                • RegEnumValueA.KERNELBASE(761311B0,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,761311B0,00000000), ref: 0040719E
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0,?,761311B0,00000000), ref: 004071B2
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 00407208
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 00407291
                                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 004072D0
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 00407314
                                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 004073D8
                                                                                                                                                                                  • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                                                                                                • String ID: $"$PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 4293430545-98143240
                                                                                                                                                                                • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                                                                                                • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                                                                                                • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                                                                                                • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 588 4067ed-40680b ReadFile 585->588 587 40696e-406971 CloseHandle 586->587 587->583 588->586 589 406811-406824 SetFilePointer 588->589 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->587 595 4068e5-4068eb 593->595 596 406891-40689e 594->596 597 4068d2 594->597 600 4068f0-4068fe call 40ebcc 595->600 601 4068ed 595->601 598 4068a0-4068b5 596->598 599 4068b7-4068ba 596->599 597->593 602 4068bd-4068c3 598->602 599->602 600->586 608 406900-40690b SetFilePointer 600->608 601->600 604 4068c5 602->604 605 4068c8-4068ce 602->605 604->605 605->594 607 4068d0 605->607 607->593 609 40695a-406969 call 40ec2e 608->609 610 40690d-406920 ReadFile 608->610 609->587 610->609 612 406922-406958 610->612 612->587
                                                                                                                                                                                APIs
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,761311B0,00000000), ref: 0040677E
                                                                                                                                                                                • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,761311B0,00000000), ref: 0040679A
                                                                                                                                                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,761311B0,00000000), ref: 004067B0
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,761311B0,00000000), ref: 004067BF
                                                                                                                                                                                • GetFileSize.KERNEL32(000000FF,00000000,?,761311B0,00000000), ref: 004067D3
                                                                                                                                                                                • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,761311B0,00000000), ref: 00406807
                                                                                                                                                                                • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,761311B0,00000000), ref: 0040681F
                                                                                                                                                                                • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,761311B0,00000000), ref: 0040683E
                                                                                                                                                                                • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,761311B0,00000000), ref: 0040685C
                                                                                                                                                                                • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,761311B0,00000000), ref: 0040688B
                                                                                                                                                                                • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,761311B0,00000000), ref: 00406906
                                                                                                                                                                                • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,761311B0,00000000), ref: 0040691C
                                                                                                                                                                                • CloseHandle.KERNEL32(000000FF,?,761311B0,00000000), ref: 00406971
                                                                                                                                                                                  • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                                                                                  • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2622201749-0
                                                                                                                                                                                • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                                                                                • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                                                                                                • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                                                                                • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 640 70003c-700047 641 700049 640->641 642 70004c-700263 call 700a3f call 700e0f call 700d90 VirtualAlloc 640->642 641->642 657 700265-700289 call 700a69 642->657 658 70028b-700292 642->658 663 7002ce-7003c2 VirtualProtect call 700cce call 700ce7 657->663 660 7002a1-7002b0 658->660 662 7002b2-7002cc 660->662 660->663 662->660 669 7003d1-7003e0 663->669 670 7003e2-700437 call 700ce7 669->670 671 700439-7004b8 VirtualFree 669->671 670->669 673 7005f4-7005fe 671->673 674 7004be-7004cd 671->674 677 700604-70060d 673->677 678 70077f-700789 673->678 676 7004d3-7004dd 674->676 676->673 682 7004e3-700505 LoadLibraryA 676->682 677->678 683 700613-700637 677->683 680 7007a6-7007b0 678->680 681 70078b-7007a3 678->681 684 7007b6-7007cb 680->684 685 70086e-7008be LoadLibraryA 680->685 681->680 686 700517-700520 682->686 687 700507-700515 682->687 688 70063e-700648 683->688 689 7007d2-7007d5 684->689 692 7008c7-7008f9 685->692 690 700526-700547 686->690 687->690 688->678 691 70064e-70065a 688->691 693 700824-700833 689->693 694 7007d7-7007e0 689->694 695 70054d-700550 690->695 691->678 696 700660-70066a 691->696 697 700902-70091d 692->697 698 7008fb-700901 692->698 704 700839-70083c 693->704 699 7007e2 694->699 700 7007e4-700822 694->700 701 7005e0-7005ef 695->701 702 700556-70056b 695->702 703 70067a-700689 696->703 698->697 699->693 700->689 701->676 705 70056d 702->705 706 70056f-70057a 702->706 707 700750-70077a 703->707 708 70068f-7006b2 703->708 704->685 709 70083e-700847 704->709 705->701 711 70059b-7005bb 706->711 712 70057c-700599 706->712 707->688 713 7006b4-7006ed 708->713 714 7006ef-7006fc 708->714 715 700849 709->715 716 70084b-70086c 709->716 723 7005bd-7005db 711->723 712->723 713->714 717 70074b 714->717 718 7006fe-700748 714->718 715->685 716->704 717->703 718->717 723->695
                                                                                                                                                                                APIs
                                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0070024D
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                • String ID: cess$kernel32.dll
                                                                                                                                                                                • API String ID: 4275171209-1230238691
                                                                                                                                                                                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                • Instruction ID: 9be9b3c6779dbc4fec803037c48c4e54be1ef0d9e37ab80a9898581bd6dc0544
                                                                                                                                                                                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                • Instruction Fuzzy Hash: 5C527974A00229DFDB64CF58C984BA8BBB1BF09314F1481E9E50DAB391DB34AE94DF54
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004099D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                APIs
                                                                                                                                                                                • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                                                                                                • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                                                                                                  • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,76128A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                                                                                                  • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                                                                                                  • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                                                                                                  • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                                                                                                  • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 4131120076-2980165447
                                                                                                                                                                                • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                                                                                                                • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                                                                                                                • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                                                                                                                • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00404000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35sleepfileCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 745 404059-40405c 741->745 743 404052 742->743 744 404037-40403a 742->744 747 404054-404056 743->747 744->743 746 40403c-40403f 744->746 745->747 746->745 748 404041-404050 Sleep 746->748 748->740 748->743
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                                                                                                                • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                                                                                                                • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateErrorFileLastSleep
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 408151869-2980165447
                                                                                                                                                                                • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                                                                                • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                                                                                                • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                                                                                • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 749 406987-4069b7 750 4069e0 749->750 751 4069b9-4069be 749->751 753 4069e4-4069fd WriteFile 750->753 751->750 752 4069c0-4069d0 751->752 754 4069d2 752->754 755 4069d5-4069de 752->755 756 406a4d-406a51 753->756 757 4069ff-406a02 753->757 754->755 755->753 758 406a53-406a56 756->758 759 406a59 756->759 757->756 760 406a04-406a08 757->760 758->759 761 406a5b-406a5f 759->761 762 406a0a-406a0d 760->762 763 406a3c-406a3e 760->763 764 406a10-406a2e WriteFile 762->764 763->761 765 406a40-406a4b 764->765 766 406a30-406a33 764->766 765->761 766->765 767 406a35-406a3a 766->767 767->763 767->764
                                                                                                                                                                                APIs
                                                                                                                                                                                • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                                                                                                • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: FileWrite
                                                                                                                                                                                • String ID: ,k@
                                                                                                                                                                                • API String ID: 3934441357-1053005162
                                                                                                                                                                                • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                                                                                • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                                                                                                • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                                                                                • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004091EB Relevance: 3.1, APIs: 2, Instructions: 119sleepCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 773 4091eb-409208 774 409308 773->774 775 40920e-40921c call 40ed03 773->775 777 40930b-40930f 774->777 779 40921e-40922c call 40ed03 775->779 780 40923f-409249 775->780 779->780 786 40922e-409230 779->786 782 409250-409270 call 40ee08 780->782 783 40924b 780->783 788 409272-40927f 782->788 789 4092dd-4092e1 782->789 783->782 790 409233-409238 786->790 791 409281-409285 788->791 792 40929b-40929e 788->792 793 4092e3-4092e5 789->793 794 4092e7-4092e8 789->794 790->790 795 40923a-40923c 790->795 791->791 796 409287 791->796 798 4092a0 792->798 799 40928e-409293 792->799 793->794 797 4092ea-4092ef 793->797 794->789 795->780 796->792 802 4092f1-4092f6 Sleep 797->802 803 4092fc-409302 797->803 804 4092a8-4092ab 798->804 800 409295-409298 799->800 801 409289-40928c 799->801 800->804 805 40929a 800->805 801->799 801->805 802->803 803->774 803->775 806 4092a2-4092a5 804->806 807 4092ad-4092b0 804->807 805->792 808 4092b2 806->808 809 4092a7 806->809 807->808 810 4092bd 807->810 812 4092b5-4092b9 808->812 809->804 811 4092bf-4092db ShellExecuteA 810->811 811->789 813 409310-409324 811->813 812->812 814 4092bb 812->814 813->777 814->811
                                                                                                                                                                                APIs
                                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                                                                                                                • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ExecuteShellSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4194306370-0
                                                                                                                                                                                • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                                                                                                                • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                                                                                                                • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                                                                                                                • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00700E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 828 700e0f-700e24 SetErrorMode * 2 829 700e26 828->829 830 700e2b-700e2c 828->830 829->830
                                                                                                                                                                                APIs
                                                                                                                                                                                • SetErrorMode.KERNELBASE(00000400,?,?,00700223,?,?), ref: 00700E19
                                                                                                                                                                                • SetErrorMode.KERNELBASE(00000000,?,?,00700223,?,?), ref: 00700E1E
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorMode
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2340568224-0
                                                                                                                                                                                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                • Instruction ID: 363d1c857498136fbe31aee574387ff28b79b8b4375f79cccd03c8d3e1615692
                                                                                                                                                                                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                • Instruction Fuzzy Hash: AED01231145128B7D7003A94DC09BCD7B5CDF05B62F008411FB0DE9080C774994046E5
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 831 406dc2-406dd5 832 406e33-406e35 831->832 833 406dd7-406df1 call 406cc9 call 40ef00 831->833 838 406df4-406df9 833->838 838->838 839 406dfb-406e00 838->839 840 406e02-406e22 GetVolumeInformationA 839->840 841 406e24 839->841 840->841 842 406e2e 840->842 841->842 842->832
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                                                                                  • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                                                                                  • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                                                                                                  • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1823874839-0
                                                                                                                                                                                • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                                                                                • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                                                                                                • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                                                                                • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00911DC1 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00911E12
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457392227.000000000090D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_90d000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                • Instruction ID: ca25ba92f5b78bb74ea5cf394c076169ea20a53e63ecd7378dbff1ec50d353e4
                                                                                                                                                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                • Instruction Fuzzy Hash: 13112B79A00208EFDB01DF98C985E99BBF5AF08350F058094FA489B362D375EA90DB80
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                Function 0040C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                                                                                                                • closesocket.WS2_32(?), ref: 0040CB63
                                                                                                                                                                                • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                                                                                                                • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                                                                                                                • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040CD21
                                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                                                                                                                • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                                                                                                                • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                                                                                                                • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                                                                                                                • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                                                                                                                • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                                                                                                                • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                                                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                                                                                                                • closesocket.WS2_32(?), ref: 0040D56C
                                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 0040D583
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040D81F
                                                                                                                                                                                  • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                                                                                                                • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                                                                                                • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                                                                                                • API String ID: 562065436-3791576231
                                                                                                                                                                                • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                                                                                                                • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                                                                                                                • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                                                                                                                • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                                                                                                • API String ID: 2238633743-3228201535
                                                                                                                                                                                • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                                                                                • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                                                                                                • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                                                                                • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040B3B7
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                                                                                                • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                                                                                                • API String ID: 766114626-2976066047
                                                                                                                                                                                • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                                • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                                                                                                • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                                • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                                                                                                • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                                                                                • String ID: D
                                                                                                                                                                                • API String ID: 3722657555-2746444292
                                                                                                                                                                                • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                                • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                                                                                                • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                                • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402A62 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 194networkmemoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7612F620), ref: 00402A83
                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,7612F620), ref: 00402A86
                                                                                                                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                                                                                                • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                                                                                                • select.WS2_32 ref: 00402B28
                                                                                                                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                                                                                                • htons.WS2_32(?), ref: 00402B71
                                                                                                                                                                                • htons.WS2_32(?), ref: 00402B8C
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                                                                                                • String ID: ]Vw`'Vw
                                                                                                                                                                                • API String ID: 1639031587-147723481
                                                                                                                                                                                • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                                                                                                • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                                                                                                • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                                                                                                • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00401280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                                                                                                • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ExecuteShelllstrlen
                                                                                                                                                                                • String ID: $%systemroot%\system32\cmd.exe$<$@$@EJv$D$uac$useless$wusa.exe
                                                                                                                                                                                • API String ID: 1628651668-3954050976
                                                                                                                                                                                • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                                                                                                • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                                                                                                • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                                                                                                • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                                                                                                • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                                                                                                  • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                                                                                • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                                                                                                • API String ID: 4207808166-1381319158
                                                                                                                                                                                • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                                                                                                • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                                                                                                                • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                                                                                                • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040405E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00404121
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateEventExitProcess
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 2404124870-2980165447
                                                                                                                                                                                • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                                                                                                • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                                                                                                                • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                                                                                                • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                                                                                                                • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                                                                                                • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Read$AddressLibraryLoadProc
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2438460464-0
                                                                                                                                                                                • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                                                                                • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                                                                                                • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                                                                                • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                                                                                                • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                • String ID: *p@
                                                                                                                                                                                • API String ID: 3429775523-2474123842
                                                                                                                                                                                • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                                                                                • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                                                                                                • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                                                                                • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007065E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000), ref: 007065F6
                                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00706610
                                                                                                                                                                                • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00706631
                                                                                                                                                                                • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00706652
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1965334864-0
                                                                                                                                                                                • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                                                                                                • Instruction ID: d5b2852258ea294fa3b781a67c577b059c5ec224640dca6139ade95039e84a6b
                                                                                                                                                                                • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                                                                                                • Instruction Fuzzy Hash: 4711A3B1600218FFDB219F65DC1AF9B3FA8EB047A5F104124F908E7291D7B6DD1086A4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                                                                                                                • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                                                                                                • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1965334864-0
                                                                                                                                                                                • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                                                                                                • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                                                                                                • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                                                                                                • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00408E26 Relevance: 4.6, APIs: 3, Instructions: 63fileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                                                                                                                • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                                                                                                                  • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                                                                                                                  • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3754425949-0
                                                                                                                                                                                • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                                                                                                                • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                                                                                                                • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                                                                                                                • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: .$GetProcAddress.$l
                                                                                                                                                                                • API String ID: 0-2784972518
                                                                                                                                                                                • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                • Instruction ID: b191a1097d474a83367248c2b9c822c83515a3dcd5259a6ee529bdb81389497e
                                                                                                                                                                                • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                • Instruction Fuzzy Hash: F0318AB6910609DFDB10CF99C884BAEBBF9FF08324F24414AD841A7351D775EA45CBA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004088B0 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                                                                                                                • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                                                                                                                • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                                                                                                                • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 009119DF Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457392227.000000000090D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_90d000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                • Instruction ID: 84726b2e1c6c30446ccb431fb916080eafb8ee30ce04d06a9bfc922cf178a072
                                                                                                                                                                                • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                • Instruction Fuzzy Hash: E1117C72340104AFDB44DE55DC81FE677EAEF88360B2980A5EA08CB316E679EC81C760
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00700D90 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                • Instruction ID: d711aeb3441189b51fc6b698b07a5e2285a8451c8e4702e3bd61251f80834f7d
                                                                                                                                                                                • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                • Instruction Fuzzy Hash: D201A776700604DFDF21DF64C804BAA33E5FB85325F4545A5D506D72C2E778A9418BD0
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00709EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00709E6D
                                                                                                                                                                                • lstrcpy.KERNEL32(?,00000000), ref: 00709FE1
                                                                                                                                                                                • lstrcat.KERNEL32(?,?), ref: 00709FF2
                                                                                                                                                                                • lstrcat.KERNEL32(?,0041070C), ref: 0070A004
                                                                                                                                                                                • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0070A054
                                                                                                                                                                                • DeleteFileA.KERNEL32(?), ref: 0070A09F
                                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0070A0D6
                                                                                                                                                                                • lstrcpy.KERNEL32 ref: 0070A12F
                                                                                                                                                                                • lstrlen.KERNEL32(00000022), ref: 0070A13C
                                                                                                                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 00709F13
                                                                                                                                                                                  • Part of subcall function 00707029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00707081
                                                                                                                                                                                  • Part of subcall function 00706F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\imehaowx,00707043), ref: 00706F4E
                                                                                                                                                                                  • Part of subcall function 00706F30: GetProcAddress.KERNEL32(00000000), ref: 00706F55
                                                                                                                                                                                  • Part of subcall function 00706F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00706F7B
                                                                                                                                                                                  • Part of subcall function 00706F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00706F92
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0070A1A2
                                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0070A1C5
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0070A214
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0070A21B
                                                                                                                                                                                • GetDriveTypeA.KERNEL32(?), ref: 0070A265
                                                                                                                                                                                • lstrcat.KERNEL32(?,00000000), ref: 0070A29F
                                                                                                                                                                                • lstrcat.KERNEL32(?,00410A34), ref: 0070A2C5
                                                                                                                                                                                • lstrcat.KERNEL32(?,00000022), ref: 0070A2D9
                                                                                                                                                                                • lstrcat.KERNEL32(?,00410A34), ref: 0070A2F4
                                                                                                                                                                                • wsprintfA.USER32 ref: 0070A31D
                                                                                                                                                                                • lstrcat.KERNEL32(?,00000000), ref: 0070A345
                                                                                                                                                                                • lstrcat.KERNEL32(?,?), ref: 0070A364
                                                                                                                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0070A387
                                                                                                                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0070A398
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0070A1D1
                                                                                                                                                                                  • Part of subcall function 00709966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0070999D
                                                                                                                                                                                  • Part of subcall function 00709966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 007099BD
                                                                                                                                                                                  • Part of subcall function 00709966: RegCloseKey.ADVAPI32(?), ref: 007099C6
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0070A3DB
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0070A3E2
                                                                                                                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 0070A41D
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                                                                                                • String ID: "$"$"$D$P$\
                                                                                                                                                                                • API String ID: 1653845638-2605685093
                                                                                                                                                                                • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                                                                                                • Instruction ID: 4ab369f4a2ebfd2a478f366438dbc1137b93b7a9720e689f295fce3a38d6ab67
                                                                                                                                                                                • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                                                                                                • Instruction Fuzzy Hash: 79F120B1D40259FEDB21DBA0CC49EEF7BFCAB08300F1445A5E605E2182E7799A858F65
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00707CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00707D21
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00707D46
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00707D7D
                                                                                                                                                                                • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00707DA2
                                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00707DC0
                                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 00707DD1
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00707DE5
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00707DF3
                                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00707E03
                                                                                                                                                                                • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00707E12
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00707E19
                                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00707E35
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                                                                                • String ID: D$PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 2976863881-1403908072
                                                                                                                                                                                • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                                                                                                • Instruction ID: ae8f8cc9e38d0c854f966db04684b941c94a6e50a385067e9c90b75e8a0f93ca
                                                                                                                                                                                • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                                                                                                • Instruction Fuzzy Hash: 61A14C71D00219EFDF118FA0DD88FEEBBB9FB08300F148169E615E6190DB799A85CB64
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                                                                                                                • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                                                                                                • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                                                                                                • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                                                                                • String ID: D$PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 2976863881-1403908072
                                                                                                                                                                                • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                                                                                • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                                                                                                • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                                                                                • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                                                                                                • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                                                                                                • API String ID: 2400214276-165278494
                                                                                                                                                                                • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                                                                                                • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                                                                                                • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                                                                                                • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040A7FB
                                                                                                                                                                                • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                                                                                                • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040A8AF
                                                                                                                                                                                • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040A8E2
                                                                                                                                                                                • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040A9B9
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wsprintf$send$lstrlenrecv
                                                                                                                                                                                • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                                                                                                • API String ID: 3650048968-2394369944
                                                                                                                                                                                • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                                                                                                • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                                                                                                • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                                                                                                • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00707A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00707A96
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00707ACD
                                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 00707ADF
                                                                                                                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00707B01
                                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00707B1F
                                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 00707B39
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00707B4A
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00707B58
                                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00707B68
                                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00707B77
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00707B7E
                                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00707B9A
                                                                                                                                                                                • GetAce.ADVAPI32(?,?,?), ref: 00707BCA
                                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 00707BF1
                                                                                                                                                                                • DeleteAce.ADVAPI32(?,?), ref: 00707C0A
                                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 00707C2C
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00707CB1
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00707CBF
                                                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00707CD0
                                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00707CE0
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00707CEE
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                                                                                • String ID: D
                                                                                                                                                                                • API String ID: 3722657555-2746444292
                                                                                                                                                                                • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                                • Instruction ID: 61c969a913bd9399a2c1faa80875b11a48e00d4fded76add52425ea7e5738472
                                                                                                                                                                                • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                                • Instruction Fuzzy Hash: 7C813B71D0421AEBDB15CFA4DD48BEFBBFCAF08304F04816AE505E6190D779AA41CB64
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                                                                                                • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                                                                                                • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Value$CloseOpenQuery
                                                                                                                                                                                • String ID: PromptOnSecureDesktop$localcfg
                                                                                                                                                                                • API String ID: 237177642-1678164370
                                                                                                                                                                                • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                                                                                                                • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                                                                                                • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                                                                                                                • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040199C Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 106memorylibraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                                                                                                • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                                                                                                • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                                                                                                • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                                                                                                • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg$]Vw`'Vw
                                                                                                                                                                                • API String ID: 835516345-2743630432
                                                                                                                                                                                • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                                                                                • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                                                                                                • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                                                                                • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0070865A
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0070867B
                                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 007086A8
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 007086B1
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Value$CloseOpenQuery
                                                                                                                                                                                • String ID: "$PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 237177642-3108538426
                                                                                                                                                                                • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                                                                                                • Instruction ID: 7f7dec48784a7a4f8c8b9dbb263bb3c59af1915417fa0a80f83e3c4cc95d8858
                                                                                                                                                                                • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                                                                                                • Instruction Fuzzy Hash: 63C1B371900209FEEB51ABA4DD89EEF7BFCEB04300F144275F640E60D1EB794A948B66
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007014E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 00701601
                                                                                                                                                                                • lstrlenW.KERNEL32(-00000003), ref: 007017D8
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ExecuteShelllstrlen
                                                                                                                                                                                • String ID: $<$@$D
                                                                                                                                                                                • API String ID: 1628651668-1974347203
                                                                                                                                                                                • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                                                                                                • Instruction ID: 6ed1f3166b767fa38220526483f69261fbfdbd704ebca32784317ee5e94298bc
                                                                                                                                                                                • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                                                                                                • Instruction Fuzzy Hash: 14F17DB1508381DFD720DF64C888BABB7E5FB88304F908A2DF69597290D7B8D944CB56
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00707666 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007076D9
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00707757
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0070778F
                                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 007078B4
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0070794E
                                                                                                                                                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0070796D
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0070797E
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 007079AC
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00707A56
                                                                                                                                                                                  • Part of subcall function 0070F40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,0070772A,?), ref: 0070F414
                                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 007079F6
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00707A4D
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                                                                                • String ID: "$PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 3433985886-3108538426
                                                                                                                                                                                • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                                                                                                • Instruction ID: 045f8e819d211decf6d0ab80a6cd417edb7a481bc182566d5ba7d921b7523964
                                                                                                                                                                                • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                                                                                                • Instruction Fuzzy Hash: C5C1B272D04209EFDB259BA4DC49FEE7BF9AF45310F1042A1F504E61D1EB79AA84CB60
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402DF2 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 97memorylibrarynetworkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll,76132640,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                                                                                                • htons.WS2_32(00000035), ref: 00402E88
                                                                                                                                                                                • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                                                                                                • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                                                                                                • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                                                                                • String ID: GetNetworkParams$iphlpapi.dll$]Vw`'Vw
                                                                                                                                                                                • API String ID: 929413710-3538517857
                                                                                                                                                                                • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                                                                                • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                                                                                                • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                                                                                • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00702CC9 Relevance: 21.2, APIs: 14, Instructions: 194memorynetworkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 00702CED
                                                                                                                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 00702D07
                                                                                                                                                                                • htons.WS2_32(00000000), ref: 00702D42
                                                                                                                                                                                • select.WS2_32 ref: 00702D8F
                                                                                                                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 00702DB1
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00702E62
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 127016686-0
                                                                                                                                                                                • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                                                                                                • Instruction ID: f871355bb295a184707b18c888080b8c38adf5997bbc697c81add561cb052ef5
                                                                                                                                                                                • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                                                                                                • Instruction Fuzzy Hash: 3A61F472504305EBC7209F60DC4CB6BBBF8FB48751F144A19F98497192D7B8EC828BA5
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                                                                                                  • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                                                                                  • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                                                                                  • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                                                                                  • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                                                                                  • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                                                                                                  • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040AEA5
                                                                                                                                                                                  • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040AE4F
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040AE5E
                                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                                                                                • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                                                                                                • API String ID: 3631595830-1816598006
                                                                                                                                                                                • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                                                                                                • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                                                                                                • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                                                                                                • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070958D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetVersionExA.KERNEL32(?), ref: 007095A7
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007095D5
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 007095DC
                                                                                                                                                                                • wsprintfA.USER32 ref: 00709635
                                                                                                                                                                                • wsprintfA.USER32 ref: 00709673
                                                                                                                                                                                • wsprintfA.USER32 ref: 007096F4
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00709758
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0070978D
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 007097D8
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 3696105349-2980165447
                                                                                                                                                                                • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                                                                                                • Instruction ID: 31b14f8efeff2e82509ac46ccb5f8499bc19c78a2ddd72e77bce0b5f7215bfec
                                                                                                                                                                                • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                                                                                                • Instruction Fuzzy Hash: 2AA152B290020CEFEB21DFA0DC49FDA3BECEB45741F104126FA15D6192E779D9848BA5
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040BE31 Relevance: 18.2, APIs: 6, Strings: 6, Instructions: 152stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcmpi
                                                                                                                                                                                • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                                                                                                                • API String ID: 1586166983-142018493
                                                                                                                                                                                • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                                                                                                • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                                                                                                • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                                                                                                • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040B467
                                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$wsprintf
                                                                                                                                                                                • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                                                                                                • API String ID: 1220175532-2340906255
                                                                                                                                                                                • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                                                                                • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                                                                                                • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                                                                                • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00701FFD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 205libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetVersionExA.KERNEL32 ref: 0070202D
                                                                                                                                                                                • GetSystemInfo.KERNEL32(?), ref: 0070204F
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0070206A
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00702071
                                                                                                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00702082
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00702230
                                                                                                                                                                                  • Part of subcall function 00701E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00701E7C
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                                                                                • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                                                                                                                • API String ID: 4207808166-1391650218
                                                                                                                                                                                • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                                                                                                • Instruction ID: e60f5034f5de5ff9df40058ede1a1cf21f20076265a81cc03440af8f4815295d
                                                                                                                                                                                • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                                                                                                • Instruction Fuzzy Hash: CE5194B1504348EFE330AF658C89F67BAECEB54704F004A1DF99682183D7BDA9458765
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00402078
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00402132
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00402142
                                                                                                                                                                                  • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7558EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                                                                                                                  • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7558EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                                                                                                                  • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                                                                                                  • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                                                                                                  • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                                                                                                • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                                                                                                • API String ID: 3976553417-1522128867
                                                                                                                                                                                • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                                                                                • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                                                                                                • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                                                                                • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: closesockethtonssocket
                                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                                • API String ID: 311057483-2401304539
                                                                                                                                                                                • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                                                                                                • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                                                                                                • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                                                                                                • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                                                                                  • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                                                                                                • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 1553760989-1857712256
                                                                                                                                                                                • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                                                                                • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                                                                                                • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                                                                                • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00703059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00703068
                                                                                                                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00703078
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00410408), ref: 00703095
                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 007030B6
                                                                                                                                                                                • htons.WS2_32(00000035), ref: 007030EF
                                                                                                                                                                                • inet_addr.WS2_32(?), ref: 007030FA
                                                                                                                                                                                • gethostbyname.WS2_32(?), ref: 0070310D
                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 0070314D
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                                                                                • String ID: iphlpapi.dll
                                                                                                                                                                                • API String ID: 2869546040-3565520932
                                                                                                                                                                                • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                                                                                                • Instruction ID: cf1c0660d91fea179c54af6bcdd5d6dd688988dc995c92ba76d7b847c25e6dc4
                                                                                                                                                                                • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                                                                                                • Instruction Fuzzy Hash: 1C315731E0060AEBDB119BB89C48AAE77FCAF09761F144365E518E72D0DB78DE418B54
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402D21 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85memorylibrarystringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,76132640,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                                                                                                • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                                                                                • String ID: DnsQuery_A$dnsapi.dll$]Vw`'Vw
                                                                                                                                                                                • API String ID: 3560063639-312264031
                                                                                                                                                                                • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                                                                                                • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                                                                                                • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                                                                                                • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406CC9 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                                                                                • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                                                                                                                • API String ID: 1082366364-2834986871
                                                                                                                                                                                • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                                                                                                • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                                                                                                • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                                                                                                • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040977C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82threadinjectionprocessCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                                                                                                                • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                                                                                                                • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                                                                                                                • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                                                                                                                • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                                                                                • String ID: D$PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 2981417381-1403908072
                                                                                                                                                                                • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                                                                                                • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                                                                                                • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                                                                                                • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00706778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 007067C3
                                                                                                                                                                                • htonl.WS2_32(?), ref: 007067DF
                                                                                                                                                                                • htonl.WS2_32(?), ref: 007067EE
                                                                                                                                                                                • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 007068F1
                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 007069BC
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Processhtonl$CurrentExitHugeRead
                                                                                                                                                                                • String ID: except_info$localcfg
                                                                                                                                                                                • API String ID: 1150517154-3605449297
                                                                                                                                                                                • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                                                                                                • Instruction ID: 76418a5b784e01057503aa99c5a01bf3d45679088f874187ae670668f131a721
                                                                                                                                                                                • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                                                                                                • Instruction Fuzzy Hash: 6A617F71A50208EFDB609FB4DC45FEA77E9FB08300F14816AF96DD21A1DA75A990CF14
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070F57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • htons.WS2_32(0070CC84), ref: 0070F5B4
                                                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0070F5CE
                                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 0070F5DC
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: closesockethtonssocket
                                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                                • API String ID: 311057483-2401304539
                                                                                                                                                                                • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                                                                                                • Instruction ID: a23fbfd6b9b09caad08dd5e0698cc8b36290fd6af14d588eba3e4f7f141fcc10
                                                                                                                                                                                • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                                                                                                • Instruction Fuzzy Hash: 78314972900119EBDB20DFA5DC899EE7BFCEF89310F104666F915E3190E7749A818BA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                                                                                                • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                                                                                                • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                                                                                                • wsprintfA.USER32 ref: 00407036
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                                                                                                • String ID: /%d$|
                                                                                                                                                                                • API String ID: 676856371-4124749705
                                                                                                                                                                                • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                                                                                                • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                                                                                                • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                                                                                                • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00702F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(?), ref: 00702FA1
                                                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00702FB1
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00702FC8
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00703000
                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 00703007
                                                                                                                                                                                • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00703032
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                                                                                • String ID: dnsapi.dll
                                                                                                                                                                                • API String ID: 1242400761-3175542204
                                                                                                                                                                                • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                                                                                                • Instruction ID: d237943668d99d5ee67cf637a21747a196146169b66c429bd48f1cb97cc02b12
                                                                                                                                                                                • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                                                                                                • Instruction Fuzzy Hash: 83219271901226FBCB229B54DC48AAFBBFDEF08B50F104521F901E7181D7B8AE8187D4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00706F30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\imehaowx,00707043), ref: 00706F4E
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00706F55
                                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00706F7B
                                                                                                                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00706F92
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                                                                                • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\imehaowx
                                                                                                                                                                                • API String ID: 1082366364-3123451844
                                                                                                                                                                                • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                                                                                                • Instruction ID: 3eae28b06a11db5cdf03e825eda634c2d4ec7a4a7b172fd1b1d2849f3b406636
                                                                                                                                                                                • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                                                                                                • Instruction Fuzzy Hash: 0721F221B44341F9F7325331AC8DFBB2ACC8B52710F1842A5F504E54C2DADD98E682AD
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406BA7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Code
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 3609698214-2980165447
                                                                                                                                                                                • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                                                                                • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                                                                                                • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                                                                                • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007092CB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTempPathA.KERNEL32(00000400,?), ref: 007092E2
                                                                                                                                                                                • wsprintfA.USER32 ref: 00709350
                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00709375
                                                                                                                                                                                • lstrlen.KERNEL32(?,?,00000000), ref: 00709389
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000000), ref: 00709394
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0070939B
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 2439722600-2980165447
                                                                                                                                                                                • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                                                                                                • Instruction ID: a273b97bb30508950f103592c207f0e825e00108a339bed1cfdfdeb41138fb1c
                                                                                                                                                                                • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                                                                                                • Instruction Fuzzy Hash: D11187B1740114FBE7606731DC0EFEF7AADDBC4B10F008565BB05E50D1EAB85A418664
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00409064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                                                                                                • wsprintfA.USER32 ref: 004090E9
                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                                                                                • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 2439722600-2980165447
                                                                                                                                                                                • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                                                                                                • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                                                                                                • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                                                                                                • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007099E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00709A18
                                                                                                                                                                                • GetThreadContext.KERNEL32(?,?), ref: 00709A52
                                                                                                                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 00709A60
                                                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00709A98
                                                                                                                                                                                • SetThreadContext.KERNEL32(?,00010002), ref: 00709AB5
                                                                                                                                                                                • ResumeThread.KERNEL32(?), ref: 00709AC2
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                                                                                • String ID: D
                                                                                                                                                                                • API String ID: 2981417381-2746444292
                                                                                                                                                                                • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                                                                                                • Instruction ID: 49b3ab6954cd14da7d1209978f991b570fedbdb6c4576cc765f728612cd18aac
                                                                                                                                                                                • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                                                                                                • Instruction Fuzzy Hash: EA213BB1A01219FBDB219BA1DC09EEF7BBCEF04750F408161FA19E1091E7798A54CBA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00701C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • inet_addr.WS2_32(004102D8), ref: 00701C18
                                                                                                                                                                                • LoadLibraryA.KERNEL32(004102C8), ref: 00701C26
                                                                                                                                                                                • GetProcessHeap.KERNEL32 ref: 00701C84
                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00701C9D
                                                                                                                                                                                • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00701CC1
                                                                                                                                                                                • HeapFree.KERNEL32(?,00000000,00000000), ref: 00701D02
                                                                                                                                                                                • FreeLibrary.KERNEL32(?), ref: 00701D0B
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2324436984-0
                                                                                                                                                                                • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                                                                                                • Instruction ID: abf46115fd32d1dcaa50b1968a2fb5cd36b7549f4a5236ceaa765b3e3e06daf4
                                                                                                                                                                                • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                                                                                                • Instruction Fuzzy Hash: B5311E31E00219FFCB119FE4DC888AEBBF9EB45751B64457AE501E3150D7B98E80DBA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040E3CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                                                                                                • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: QueryValue$CloseOpen
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 1586453840-2980165447
                                                                                                                                                                                • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                                                                                                • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                                                                                                • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                                                                                                • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00404280 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                                                                                                                • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                                                                                                • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle$CreateEvent
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 1371578007-2980165447
                                                                                                                                                                                • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                                                                                • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                                                                                                • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                                                                                • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402923 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: ]Vw`'Vw
                                                                                                                                                                                • API String ID: 0-147723481
                                                                                                                                                                                • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                                                                                                • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                                                                                                • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                                                                                                • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00706CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00706CE4
                                                                                                                                                                                • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00706D22
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00706DA7
                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00706DB5
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00706DD6
                                                                                                                                                                                • DeleteFileA.KERNEL32(?), ref: 00706DE7
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00706DFD
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3873183294-0
                                                                                                                                                                                • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                                • Instruction ID: d9417bacf85b0eeafa8416bb16f198aa260721d99fa7aee6a69b808cd351a5dd
                                                                                                                                                                                • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                                • Instruction Fuzzy Hash: 2E31E276A00249FFCF01EFA49D48ADE7FF9EB48300F148265E251E3291D77499658B61
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070E2FC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegCreateKeyExA.ADVAPI32(80000001,0070E50A,00000000,00000000,00000000,00020106,00000000,0070E50A,00000000,000000E4), ref: 0070E319
                                                                                                                                                                                • RegSetValueExA.ADVAPI32(0070E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0070E38E
                                                                                                                                                                                • RegDeleteValueA.ADVAPI32(0070E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dp), ref: 0070E3BF
                                                                                                                                                                                • RegCloseKey.ADVAPI32(0070E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dp,0070E50A), ref: 0070E3C8
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Value$CloseCreateDelete
                                                                                                                                                                                • String ID: PromptOnSecureDesktop$Dp
                                                                                                                                                                                • API String ID: 2667537340-1242397352
                                                                                                                                                                                • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                                                                                                • Instruction ID: c4456268d0543188460e5621fc9a8a293847164b1d4ca826cc9d0b2978ece7d0
                                                                                                                                                                                • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                                                                                                • Instruction Fuzzy Hash: D6215E71A0021DFBDF209FA4EC89EDEBFB9EF08750F048521F904E6191E2718A54D7A0
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007093AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007093C6
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 007093CD
                                                                                                                                                                                • CharToOemA.USER32(?,?), ref: 007093DB
                                                                                                                                                                                • wsprintfA.USER32 ref: 00709410
                                                                                                                                                                                  • Part of subcall function 007092CB: GetTempPathA.KERNEL32(00000400,?), ref: 007092E2
                                                                                                                                                                                  • Part of subcall function 007092CB: wsprintfA.USER32 ref: 00709350
                                                                                                                                                                                  • Part of subcall function 007092CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00709375
                                                                                                                                                                                  • Part of subcall function 007092CB: lstrlen.KERNEL32(?,?,00000000), ref: 00709389
                                                                                                                                                                                  • Part of subcall function 007092CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00709394
                                                                                                                                                                                  • Part of subcall function 007092CB: CloseHandle.KERNEL32(00000000), ref: 0070939B
                                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00709448
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 3857584221-2980165447
                                                                                                                                                                                • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                                                                                                • Instruction ID: 4ab7a0d218566fe51501b960b64e66f14fba66d06223ba1d2b9655732fba89d0
                                                                                                                                                                                • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                                                                                                • Instruction Fuzzy Hash: 8D0192F6900118BBD720A7619D4DEDF37BCDB85701F0000A1BB09E2081DAB896C58F75
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00409145 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                                                                                                • CharToOemA.USER32(?,?), ref: 00409174
                                                                                                                                                                                • wsprintfA.USER32 ref: 004091A9
                                                                                                                                                                                  • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                                                                                                  • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                                                                                                  • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                                                                                  • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                                                                                  • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                                                                                  • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 3857584221-2980165447
                                                                                                                                                                                • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                                                                                                • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                                                                                                • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                                                                                                • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070AA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen
                                                                                                                                                                                • String ID: $localcfg
                                                                                                                                                                                • API String ID: 1659193697-2018645984
                                                                                                                                                                                • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                                                                                                • Instruction ID: 2dd263657a24ede65d8eb784aa2972e21c2546ce83af5f22c71ba0109d24a989
                                                                                                                                                                                • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                                                                                                • Instruction Fuzzy Hash: D471F772B40308FAEF319B54DC85FEE37E9AB00705F244326F905A60D1DA6E9D848767
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                                                                  • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                                                                                                                • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                                                                                                • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                                                                                                • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                                                                                                • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                                                                                                • String ID: flags_upd$localcfg
                                                                                                                                                                                • API String ID: 204374128-3505511081
                                                                                                                                                                                • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                                                                                                • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                                                                                                • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                                                                                                • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070E8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 0070DF6C: GetCurrentThreadId.KERNEL32 ref: 0070DFBA
                                                                                                                                                                                • lstrcmp.KERNEL32(00410178,00000000), ref: 0070E8FA
                                                                                                                                                                                • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00706128), ref: 0070E950
                                                                                                                                                                                • lstrcmp.KERNEL32(?,00000008), ref: 0070E989
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                                                                                                • String ID: A$ A$ A
                                                                                                                                                                                • API String ID: 2920362961-1846390581
                                                                                                                                                                                • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                                                                                                • Instruction ID: cdd0e1513e8d6f0941a2b4a26a40204cc7665ce35eeef8392ad3aa0de3babe0c
                                                                                                                                                                                • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                                                                                                • Instruction Fuzzy Hash: 90318C31610705DBDB71CF24C888BAA7BE8EB15720F108A2AE59687591D378F880CB82
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00706E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Code
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3609698214-0
                                                                                                                                                                                • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                                                                                                • Instruction ID: 748108236992c54585ae676b07027af15122e10792fd2b2d75c007d2324df4fb
                                                                                                                                                                                • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                                                                                                • Instruction Fuzzy Hash: 69213B76104219FFDB119B70EC49EDF3EEDEB49760B208625F602D10D1EA789A509674
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,761311B0,?,00000000,0040E538,?,761311B0,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                                                                                                • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3819781495-0
                                                                                                                                                                                • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                                                                                • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                                                                                                • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                                                                                • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070C543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0070C6B4
                                                                                                                                                                                • InterlockedIncrement.KERNEL32(0070C74B), ref: 0070C715
                                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0070C747), ref: 0070C728
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,0070C747,00413588,00708A77), ref: 0070C733
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 1026198776-1857712256
                                                                                                                                                                                • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                                                                                                • Instruction ID: b1cff133437ee92479e30dae67f12082858bdfe30a8de4728d68649c7f4a808e
                                                                                                                                                                                • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                                                                                                • Instruction Fuzzy Hash: 1F513BB1A01B41CFD7358F29C98552ABBE9FB48300B505A3EE18BC7AD0D779F8448B10
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,761311B0,00000000), ref: 0040815F
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,761311B0,00000000), ref: 00408187
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,761311B0,00000000), ref: 004081BE
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,761311B0,00000000), ref: 00408210
                                                                                                                                                                                  • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,761311B0,00000000), ref: 0040677E
                                                                                                                                                                                  • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,761311B0,00000000), ref: 0040679A
                                                                                                                                                                                  • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,761311B0,00000000), ref: 004067B0
                                                                                                                                                                                  • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,761311B0,00000000), ref: 004067BF
                                                                                                                                                                                  • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,761311B0,00000000), ref: 004067D3
                                                                                                                                                                                  • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,761311B0,00000000), ref: 00406807
                                                                                                                                                                                  • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,761311B0,00000000), ref: 0040681F
                                                                                                                                                                                  • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,761311B0,00000000), ref: 0040683E
                                                                                                                                                                                  • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,761311B0,00000000), ref: 0040685C
                                                                                                                                                                                  • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                                                                                  • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 124786226-2980165447
                                                                                                                                                                                • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                                                                                                                • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                                                                                                • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                                                                                                                • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040E095 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                                                                                                • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                                                                                                • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                                                                                                • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Value$CloseCreateDelete
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 2667537340-2980165447
                                                                                                                                                                                • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                                                                                                • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                                                                                                • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                                                                                                • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007071C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 007071E1
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00707228
                                                                                                                                                                                • LocalFree.KERNEL32(?,?,?), ref: 00707286
                                                                                                                                                                                • wsprintfA.USER32 ref: 0070729D
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                                                                                                • String ID: |
                                                                                                                                                                                • API String ID: 2539190677-2343686810
                                                                                                                                                                                • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                                                                                                • Instruction ID: 5904ffdeceb4466b626a4cc14126d53e4b62dd1ba5e346976258deeaa5989818
                                                                                                                                                                                • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                                                                                                • Instruction Fuzzy Hash: 27313C72904108FBCB11DFA8DC49ADA3BFCEF04314F148166F959DB141EA79E648CBA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                                                                                • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$gethostnamelstrcpy
                                                                                                                                                                                • String ID: LocalHost
                                                                                                                                                                                • API String ID: 3695455745-3154191806
                                                                                                                                                                                • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                                                                                • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                                                                                                • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                                                                                • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070B478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 0070B51A
                                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0070B529
                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0070B548
                                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 0070B590
                                                                                                                                                                                • wsprintfA.USER32 ref: 0070B61E
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4026320513-0
                                                                                                                                                                                • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                                • Instruction ID: d066580a625e56964fb7679ad1e831d5fc39845efa53b58139b817014dc803a8
                                                                                                                                                                                • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                                • Instruction Fuzzy Hash: 065100B1D0021DEACF14DFD5D8895EEBBB9BF48304F10866AF505A6150E7B84AC9CF98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007062D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00706303
                                                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 0070632A
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 007063B1
                                                                                                                                                                                • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00706405
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: HugeRead$AddressLibraryLoadProc
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3498078134-0
                                                                                                                                                                                • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                                                                                                • Instruction ID: 4b2df583d90ff36b1dea4befc85a6887a1224f44c20f7aefc875062d34fe80ab
                                                                                                                                                                                • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                                                                                                • Instruction Fuzzy Hash: E9414CB1A00209EBDB14CF58D8A4AA9B7F4FF04354F248269E915DB3D0E779EE50DB90
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                                                                • lstrcmpA.KERNEL32(761311B8,00000000,?,761311B0,00000000,?,00405EC1), ref: 0040E693
                                                                                                                                                                                • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,761311B0,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                                                                                                • lstrcmpA.KERNEL32(?,00000008,?,761311B0,00000000,?,00405EC1), ref: 0040E722
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                                                                                                • String ID: A$ A
                                                                                                                                                                                • API String ID: 3343386518-686259309
                                                                                                                                                                                • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                                                                                • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                                                                                                • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                                                                                • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                                                                                                • htons.WS2_32(00000001), ref: 00402752
                                                                                                                                                                                • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                                                                                                • htons.WS2_32(00000001), ref: 004027E3
                                                                                                                                                                                • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                                                                                                  • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                                                                                                  • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1128258776-0
                                                                                                                                                                                • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                                                                                                • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                                                                                                • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                                                                                                • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                                                                                                • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                                                                                                • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: setsockopt
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3981526788-0
                                                                                                                                                                                • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                                                                                • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                                                                                                • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                                                                                • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                                                                                                • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                                                                                                                • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$lstrcmpi
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 1808961391-1857712256
                                                                                                                                                                                • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                                                                                • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                                                                                                • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                                                                                • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070E3DE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148fileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • WriteFile.KERNEL32(00000001,Dp,00000000,00000000,00000000), ref: 0070E470
                                                                                                                                                                                • CloseHandle.KERNEL32(00000001,00000003), ref: 0070E484
                                                                                                                                                                                  • Part of subcall function 0070E2FC: RegCreateKeyExA.ADVAPI32(80000001,0070E50A,00000000,00000000,00000000,00020106,00000000,0070E50A,00000000,000000E4), ref: 0070E319
                                                                                                                                                                                  • Part of subcall function 0070E2FC: RegSetValueExA.ADVAPI32(0070E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0070E38E
                                                                                                                                                                                  • Part of subcall function 0070E2FC: RegDeleteValueA.ADVAPI32(0070E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dp), ref: 0070E3BF
                                                                                                                                                                                  • Part of subcall function 0070E2FC: RegCloseKey.ADVAPI32(0070E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dp,0070E50A), ref: 0070E3C8
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                                                                                                • String ID: PromptOnSecureDesktop$Dp
                                                                                                                                                                                • API String ID: 4151426672-1242397352
                                                                                                                                                                                • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                                                                                                • Instruction ID: b67b4eae2216135855583e3893e8ed3a73cf4b1dd77d9b44e120191eb3b3845f
                                                                                                                                                                                • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                                                                                                • Instruction Fuzzy Hash: FD41DE72D00214FAEB205F518C4AFDF3BACEF44724F148635FA09940D2E7B98A50D6B5
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070E795 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 0070DF6C: GetCurrentThreadId.KERNEL32 ref: 0070DFBA
                                                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,0070A6AC), ref: 0070E7BF
                                                                                                                                                                                • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,0070A6AC), ref: 0070E7EA
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,0070A6AC), ref: 0070E819
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 1396056608-2980165447
                                                                                                                                                                                • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                                                                                                • Instruction ID: c1146d72ee6071685d935e6c35b05930933f574c631f9a9c097c7ff2461c35b0
                                                                                                                                                                                • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                                                                                                • Instruction Fuzzy Hash: 8621E7B2A40301FAE23077719C0FFEB3E9CDB65B60F105625FA09A51D3EA9D985082B5
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040E52E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,761311B0,?,00000000,?,0040A445), ref: 0040E558
                                                                                                                                                                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,761311B0,?,00000000,?,0040A445), ref: 0040E583
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,761311B0,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 3683885500-2980165447
                                                                                                                                                                                • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                                                                                                                • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                                                                                                                • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                                                                                                                • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                                                • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                                                                                                • API String ID: 2574300362-1087626847
                                                                                                                                                                                • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                                                                                • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                                                                                                • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                                                                                • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00707665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007076D9
                                                                                                                                                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0070796D
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0070797E
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseEnumOpen
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 1332880857-2980165447
                                                                                                                                                                                • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                                                                                                • Instruction ID: c40250672e2ccc30d5fc75780f2b040b7f13f12d2d6168c8c57c3847399938f8
                                                                                                                                                                                • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                                                                                                • Instruction Fuzzy Hash: 5511AC71A04109EFDB118FA9DC49EAFBFB8EB81710F144261F515E62D1E6B99D40CB60
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                                                                  • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                                                                                • String ID: hi_id$localcfg
                                                                                                                                                                                • API String ID: 2777991786-2393279970
                                                                                                                                                                                • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                                                                                • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                                                                                                • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                                                                                • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00709966 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0070999D
                                                                                                                                                                                • RegDeleteValueA.ADVAPI32(?,00000000), ref: 007099BD
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 007099C6
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseDeleteOpenValue
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 849931509-2980165447
                                                                                                                                                                                • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                                                                                                • Instruction ID: e76a516849abb4a3180378e9c4516ab0a3a3752da83d2f5a45aa5f0b053a1d03
                                                                                                                                                                                • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                                                                                                • Instruction Fuzzy Hash: 13F0F6B2680208FBF7106B50EC0BFDB3A6CDB94B14F100070FA05B50C2F6E99E9182B9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004096FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                                                                                                                • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                                                                                                                • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseDeleteOpenValue
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 849931509-2980165447
                                                                                                                                                                                • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                                                                                                                • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                                                                                                                • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                                                                                                                • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007028EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: gethostbynameinet_addr
                                                                                                                                                                                • String ID: time_cfg$u6A
                                                                                                                                                                                • API String ID: 1594361348-1940331995
                                                                                                                                                                                • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                                • Instruction ID: 246371fac7d59bf08bc2222fe851244e570c25a65e8296b0b52bed7539fefd09
                                                                                                                                                                                • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                                • Instruction Fuzzy Hash: 07E08C31604111CFCB408B28F848AC577E4AF0A330F008280F040D32E1C7389C829640
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007069C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080), ref: 007069E5
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002), ref: 00706A26
                                                                                                                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 00706A3A
                                                                                                                                                                                • CloseHandle.KERNEL32(000000FF), ref: 00706BD8
                                                                                                                                                                                  • Part of subcall function 0070EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00701DCF,?), ref: 0070EEA8
                                                                                                                                                                                  • Part of subcall function 0070EE95: HeapFree.KERNEL32(00000000), ref: 0070EEAF
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3384756699-0
                                                                                                                                                                                • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                                                                                                • Instruction ID: 906ed86e3a9608ed06de50e6fc13fd39618e572dfb964ea1e3ac2885554dceb6
                                                                                                                                                                                • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                                                                                                • Instruction Fuzzy Hash: 2B7129B190021DEFDF10DFA4CC949EEBBB9FB04314F20466AE515E6190E7349E91DB50
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wsprintf
                                                                                                                                                                                • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                                                                                                • API String ID: 2111968516-120809033
                                                                                                                                                                                • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                                                                                • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                                                                                                • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                                                                                • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 007041AB
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 007041B5
                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 007041C6
                                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 007041D9
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3373104450-0
                                                                                                                                                                                • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                                • Instruction ID: 436a6d301eee9229df9b5e0c28d82529c171526aab2c3ba8a9509683d006626c
                                                                                                                                                                                • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                                • Instruction Fuzzy Hash: 3301E97651110EEBDF01DF91ED84BEE7BACEB18359F104161FA01E2090D7749A948BB9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007041F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0070421F
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00704229
                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 0070423A
                                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0070424D
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 888215731-0
                                                                                                                                                                                • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                                • Instruction ID: 7d10d00d499ac07f99eb23055672c10012d99f299c0d466730b94f5d5e59676b
                                                                                                                                                                                • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                                • Instruction Fuzzy Hash: 9201A5B2611109ABDF01DF90ED84BEE7BACFB08355F108561FA01E2090D7749A649BB6
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3373104450-0
                                                                                                                                                                                • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                                • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                                                                                                • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                                • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 888215731-0
                                                                                                                                                                                • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                                • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                                                                                                • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                                • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070E036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • lstrcmp.KERNEL32(?,80000009), ref: 0070E066
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcmp
                                                                                                                                                                                • String ID: A$ A$ A
                                                                                                                                                                                • API String ID: 1534048567-1846390581
                                                                                                                                                                                • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                                                                                                • Instruction ID: ee989ec6da866e75e4a24ca2236dc6f26eb7c3df02037516d74587017e59f0d8
                                                                                                                                                                                • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                                                                                                • Instruction Fuzzy Hash: 55F06272600702DBCB20CF25D884A92B7E9FF45321B648B2AE154C30A0D3B8A898CB51
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                                • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                                                                                • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                                                                                                • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                                                                                • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                                                                                                • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                                • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                                                                                • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                                                                                                • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                                                                                • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                                                                                                • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                                • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                                                                                • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                                                                                                • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                                                                                • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00403103
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                                • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                                                                                • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                                                                                                • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                                                                                • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040E177 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                                                                                                                • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                                                                                                                  • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                                                                                                  • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                                                                                                  • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                                                                                                  • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 4151426672-2980165447
                                                                                                                                                                                • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                                                                                                                • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                                                                                                                • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                                                                                                                • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00708330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 007083C6
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00708477
                                                                                                                                                                                  • Part of subcall function 007069C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 007069E5
                                                                                                                                                                                  • Part of subcall function 007069C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00706A26
                                                                                                                                                                                  • Part of subcall function 007069C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00706A3A
                                                                                                                                                                                  • Part of subcall function 0070EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00701DCF,?), ref: 0070EEA8
                                                                                                                                                                                  • Part of subcall function 0070EE95: HeapFree.KERNEL32(00000000), ref: 0070EEAF
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 359188348-2980165447
                                                                                                                                                                                • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                                                                                                • Instruction ID: ed5f43b52d20b3056ecbf475c63832a0cec4ff4c414f96396c5baa26082d9095
                                                                                                                                                                                • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                                                                                                • Instruction Fuzzy Hash: C64190B2800149FEEB50EFA0DD85DFF77ECEB00300F044666F544D2191EAB85A948B66
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070E631 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,0070E859,00000000,00020119,0070E859,PromptOnSecureDesktop), ref: 0070E64D
                                                                                                                                                                                • RegCloseKey.ADVAPI32(0070E859,?,?,?,?,000000C8,000000E4), ref: 0070E787
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseOpen
                                                                                                                                                                                • String ID: PromptOnSecureDesktop
                                                                                                                                                                                • API String ID: 47109696-2980165447
                                                                                                                                                                                • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                                                                                                • Instruction ID: cf5a5eb93cd81712f2dd7f4ac734bfdeda87bec65a4bb243625e828c229ada02
                                                                                                                                                                                • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                                                                                                • Instruction Fuzzy Hash: CD4146B2D0021DFFDF11EF94DC85DEEBBB9EB14304F004966FA10A61A1E3758A558B60
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070AFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 0070AFFF
                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0070B00D
                                                                                                                                                                                  • Part of subcall function 0070AF6F: gethostname.WS2_32(?,00000080), ref: 0070AF83
                                                                                                                                                                                  • Part of subcall function 0070AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0070AFE6
                                                                                                                                                                                  • Part of subcall function 0070331C: gethostname.WS2_32(?,00000080), ref: 0070333F
                                                                                                                                                                                  • Part of subcall function 0070331C: gethostbyname.WS2_32(?), ref: 00703349
                                                                                                                                                                                  • Part of subcall function 0070AA0A: inet_ntoa.WS2_32(00000000), ref: 0070AA10
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                                                                                • String ID: %OUTLOOK_BND_
                                                                                                                                                                                • API String ID: 1981676241-3684217054
                                                                                                                                                                                • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                                                                                                • Instruction ID: 6827acbf3698685a3369a245493d227fa3c0f4b1b8ab2c8caa05b4b72f53b809
                                                                                                                                                                                • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                                                                                                • Instruction Fuzzy Hash: A841147290424CEBDB25EFA0DC4AEEF3BACFF04304F144526F92592192EB79E6548B54
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00709452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00709536
                                                                                                                                                                                • Sleep.KERNEL32(000001F4), ref: 0070955D
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ExecuteShellSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4194306370-3916222277
                                                                                                                                                                                • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                                                                                                • Instruction ID: 6827c31359edcb5c9ab77b1bb460b09ae6beed50640c43c39e4a9549bbaa7897
                                                                                                                                                                                • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                                                                                                • Instruction Fuzzy Hash: 15412571808385EEEB378B65DC9C7E67BE49B42314F2803A5E282971E3E6BC4D818711
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070BC7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0070B9D9
                                                                                                                                                                                • InterlockedIncrement.KERNEL32(00413648), ref: 0070BA3A
                                                                                                                                                                                • InterlockedIncrement.KERNEL32(?), ref: 0070BA94
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0070BB79
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0070BB99
                                                                                                                                                                                • InterlockedIncrement.KERNEL32(?), ref: 0070BE15
                                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 0070BEB4
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                                • API String ID: 1869671989-2903620461
                                                                                                                                                                                • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                                                                                                • Instruction ID: 2b3112301957975279169886607490dc11bb65af435a5b4ba1a80f69b19c6650
                                                                                                                                                                                • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                                                                                                • Instruction Fuzzy Hash: DC315E71500248DFDF25DFA4DC89AE977E8EB48700F204256FA1492191DB79DB85CF14
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00408CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 536389180-1857712256
                                                                                                                                                                                • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                                                                                                • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                                                                                                                • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                                                                                                • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTickwsprintf
                                                                                                                                                                                • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                                                                                                • API String ID: 2424974917-1012700906
                                                                                                                                                                                • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                                                                                • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                                                                                                • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                                                                                • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                                                                                                  • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                                • API String ID: 3716169038-2903620461
                                                                                                                                                                                • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                                                                                • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                                                                                                • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                                                                                • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0070709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetUserNameW.ADVAPI32(?,?), ref: 007070BC
                                                                                                                                                                                • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 007070F4
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Name$AccountLookupUser
                                                                                                                                                                                • String ID: |
                                                                                                                                                                                • API String ID: 2370142434-2343686810
                                                                                                                                                                                • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                                                                • Instruction ID: 10cefcb34136b5c55272ede55dc717ea099146f414004b79c1bfaf257b144ba4
                                                                                                                                                                                • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                                                                • Instruction Fuzzy Hash: AA111872D0411CEBDF15CBD4DC84ADEB7FDAB44301F1442A6E501E61D0E674AB98CBA0
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                                                                  • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                                                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 2777991786-1857712256
                                                                                                                                                                                • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                                                                                • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                                                                                                • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                                                                                • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                                                                                                • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: IncrementInterlockedlstrcpyn
                                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                                • API String ID: 224340156-2903620461
                                                                                                                                                                                • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                                                                                • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                                                                                                • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                                                                                • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                                                                                                • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: gethostbyaddrinet_ntoa
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 2112563974-1857712256
                                                                                                                                                                                • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                                                                                • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                                                                                                • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                                                                                • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: gethostbynameinet_addr
                                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                                • API String ID: 1594361348-2401304539
                                                                                                                                                                                • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                                • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                                                                                                • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                                • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7558EA50,80000001,00000000), ref: 0040EAF2
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                                                • String ID: ntdll.dll
                                                                                                                                                                                • API String ID: 2574300362-2227199552
                                                                                                                                                                                • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                                                                                • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                                                                                                • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                                                                                • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00703189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 00702F88: GetModuleHandleA.KERNEL32(?), ref: 00702FA1
                                                                                                                                                                                  • Part of subcall function 00702F88: LoadLibraryA.KERNEL32(?), ref: 00702FB1
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007031DA
                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 007031E1
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457259908.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_700000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1017166417-0
                                                                                                                                                                                • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                                                                                                • Instruction ID: 5fa702f42920f5470ba0570c07b9f7f45603474db928626c7c0f4478b6068e16
                                                                                                                                                                                • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                                                                                                • Instruction Fuzzy Hash: 69519A3190020AEFCB11DF64D8889EAB7B9FF19305B144669EC96C7291E7369A19CB90
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,76132640,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                                                                                  • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.1457131872.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                • Associated: 00000004.00000002.1457131872.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_400000_file.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1017166417-0
                                                                                                                                                                                • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                                                                                                • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                                                                                                • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                                                                                                • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:2.9%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:30.9%
                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                Total number of Nodes:1587
                                                                                                                                                                                Total number of Limit Nodes:13
                                                                                                                                                                                execution_graph 16535 40444a 16536 404458 16535->16536 16537 40446a 16536->16537 16539 401940 16536->16539 16540 40ec2e codecvt 4 API calls 16539->16540 16541 401949 16540->16541 16541->16537 14545 409961 RegisterServiceCtrlHandlerA 14546 40997d 14545->14546 14553 4099cb 14545->14553 14555 409892 14546->14555 14548 40999a 14549 4099ba 14548->14549 14550 409892 SetServiceStatus 14548->14550 14551 409892 SetServiceStatus 14549->14551 14549->14553 14552 4099aa 14550->14552 14551->14553 14552->14549 14558 4098f2 14552->14558 14556 4098c2 SetServiceStatus 14555->14556 14556->14548 14559 4098f6 14558->14559 14561 409904 Sleep 14559->14561 14563 409917 14559->14563 14566 404280 CreateEventA 14559->14566 14561->14559 14562 409915 14561->14562 14562->14563 14565 409947 14563->14565 14593 40977c 14563->14593 14565->14549 14567 4042a5 14566->14567 14568 40429d 14566->14568 14607 403ecd 14567->14607 14568->14559 14570 4042b0 14611 404000 14570->14611 14573 4043c1 CloseHandle 14573->14568 14574 4042ce 14617 403f18 WriteFile 14574->14617 14579 4043ba CloseHandle 14579->14573 14580 404318 14581 403f18 4 API calls 14580->14581 14582 404331 14581->14582 14583 403f18 4 API calls 14582->14583 14584 40434a 14583->14584 14625 40ebcc GetProcessHeap 14584->14625 14587 403f18 4 API calls 14588 404389 14587->14588 14629 40ec2e 14588->14629 14591 403f8c 4 API calls 14592 40439f CloseHandle CloseHandle 14591->14592 14592->14568 14658 40ee2a 14593->14658 14596 4097c2 14598 4097d4 Wow64GetThreadContext 14596->14598 14597 4097bb 14597->14565 14599 409801 14598->14599 14600 4097f5 14598->14600 14660 40637c 14599->14660 14601 4097f6 TerminateProcess 14600->14601 14601->14597 14603 409816 14603->14601 14604 40981e WriteProcessMemory 14603->14604 14604->14600 14605 40983b Wow64SetThreadContext 14604->14605 14605->14600 14606 409858 ResumeThread 14605->14606 14606->14597 14608 403ee2 14607->14608 14609 403edc 14607->14609 14608->14570 14634 406dc2 14609->14634 14612 40400b CreateFileA 14611->14612 14613 40402c GetLastError 14612->14613 14614 404052 14612->14614 14613->14614 14615 404037 14613->14615 14614->14568 14614->14573 14614->14574 14615->14614 14616 404041 Sleep 14615->14616 14616->14612 14616->14614 14618 403f7c 14617->14618 14619 403f4e GetLastError 14617->14619 14621 403f8c ReadFile 14618->14621 14619->14618 14620 403f5b WaitForSingleObject GetOverlappedResult 14619->14620 14620->14618 14622 403fc2 GetLastError 14621->14622 14624 403ff0 14621->14624 14623 403fcf WaitForSingleObject GetOverlappedResult 14622->14623 14622->14624 14623->14624 14624->14579 14624->14580 14626 40ebe0 14625->14626 14652 40eb74 14626->14652 14630 40ec37 14629->14630 14631 40438f 14629->14631 14655 40eba0 14630->14655 14631->14591 14635 406dd7 14634->14635 14639 406e24 14634->14639 14640 406cc9 14635->14640 14637 406ddc 14638 406e02 GetVolumeInformationA 14637->14638 14637->14639 14638->14639 14639->14608 14641 406cdc GetModuleHandleA GetProcAddress 14640->14641 14642 406dbe 14640->14642 14643 406d12 GetSystemDirectoryA 14641->14643 14644 406cfd 14641->14644 14642->14637 14645 406d27 GetWindowsDirectoryA 14643->14645 14646 406d1e 14643->14646 14644->14643 14648 406d8b 14644->14648 14647 406d42 14645->14647 14646->14645 14646->14648 14650 40ef1e lstrlenA 14647->14650 14648->14642 14651 40ef32 14650->14651 14651->14648 14653 40eb7b GetProcessHeap HeapSize 14652->14653 14654 404350 14652->14654 14653->14654 14654->14587 14656 40eba7 GetProcessHeap HeapSize 14655->14656 14657 40ebbf GetProcessHeap HeapFree 14655->14657 14656->14657 14657->14631 14659 409794 CreateProcessA 14658->14659 14659->14596 14659->14597 14661 406386 14660->14661 14662 40638a GetModuleHandleA VirtualAlloc 14660->14662 14661->14603 14663 4063f5 14662->14663 14664 4063b6 14662->14664 14663->14603 14665 4063be VirtualAllocEx 14664->14665 14665->14663 14666 4063d6 14665->14666 14667 4063df WriteProcessMemory 14666->14667 14667->14663 14677 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14794 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14677->14794 14679 409a95 14680 409aa3 GetModuleHandleA GetModuleFileNameA 14679->14680 14685 40a3c7 14679->14685 14692 409ac4 14680->14692 14681 40a41c CreateThread WSAStartup 14905 40e52e 14681->14905 15730 40405e CreateEventA 14681->15730 14683 409afd GetCommandLineA 14693 409b22 14683->14693 14684 40a406 DeleteFileA 14684->14685 14686 40a40d 14684->14686 14685->14681 14685->14684 14685->14686 14688 40a3ed GetLastError 14685->14688 14686->14681 14687 40a445 14924 40eaaf 14687->14924 14688->14686 14690 40a3f8 Sleep 14688->14690 14690->14684 14691 40a44d 14928 401d96 14691->14928 14692->14683 14697 409c0c 14693->14697 14704 409b47 14693->14704 14695 40a457 14976 4080c9 14695->14976 14795 4096aa 14697->14795 14708 409b96 lstrlenA 14704->14708 14714 409b58 14704->14714 14705 40a1d2 14715 40a1e3 GetCommandLineA 14705->14715 14706 409c39 14709 40a167 GetModuleHandleA GetModuleFileNameA 14706->14709 14713 409c4b 14706->14713 14708->14714 14711 409c05 ExitProcess 14709->14711 14712 40a189 14709->14712 14712->14711 14722 40a1b2 GetDriveTypeA 14712->14722 14713->14709 14717 404280 29 API calls 14713->14717 14714->14711 14718 409bd2 14714->14718 14738 40a205 14715->14738 14723 409c5b 14717->14723 14807 40675c 14718->14807 14722->14711 14725 40a1c5 14722->14725 14723->14709 14726 40675c 20 API calls 14723->14726 14897 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14725->14897 14728 409c79 14726->14728 14728->14709 14733 409ca0 GetTempPathA 14728->14733 14734 409e3e 14728->14734 14729 409bff 14729->14711 14731 40a491 14732 40a49f GetTickCount 14731->14732 14735 40a4be Sleep 14731->14735 14741 40a4b7 GetTickCount 14731->14741 15022 40c913 14731->15022 14732->14731 14732->14735 14733->14734 14737 409cba 14733->14737 14745 409e6b GetEnvironmentVariableA 14734->14745 14746 409e04 14734->14746 14735->14731 14845 4099d2 lstrcpyA 14737->14845 14742 40a285 lstrlenA 14738->14742 14754 40a239 14738->14754 14740 40ec2e codecvt 4 API calls 14744 40a15d 14740->14744 14741->14735 14742->14754 14744->14709 14744->14711 14745->14746 14747 409e7d 14745->14747 14746->14740 14748 4099d2 16 API calls 14747->14748 14750 409e9d 14748->14750 14749 406dc2 6 API calls 14751 409d5f 14749->14751 14750->14746 14753 409eb0 lstrcpyA lstrlenA 14750->14753 14757 406cc9 5 API calls 14751->14757 14756 409ef4 14753->14756 14803 406ec3 14754->14803 14755 40a3c2 14758 4098f2 40 API calls 14755->14758 14759 406dc2 6 API calls 14756->14759 14762 409f03 14756->14762 14761 409d72 lstrcpyA lstrcatA lstrcatA 14757->14761 14758->14685 14759->14762 14760 40a39d StartServiceCtrlDispatcherA 14760->14755 14766 409cf6 14761->14766 14763 409f32 RegOpenKeyExA 14762->14763 14765 409f48 RegSetValueExA RegCloseKey 14763->14765 14771 409f70 14763->14771 14764 40a35f 14764->14755 14764->14760 14765->14771 14852 409326 14766->14852 14769 409e0c DeleteFileA 14769->14734 14770 409dde GetFileAttributesExA 14770->14769 14772 409df7 14770->14772 14774 409f9d GetModuleHandleA GetModuleFileNameA 14771->14774 14772->14746 14889 4096ff 14772->14889 14776 409fc2 14774->14776 14777 40a093 14774->14777 14776->14777 14783 409ff1 GetDriveTypeA 14776->14783 14778 40a103 CreateProcessA 14777->14778 14779 40a0a4 wsprintfA 14777->14779 14780 40a13a 14778->14780 14781 40a12a DeleteFileA 14778->14781 14895 402544 14779->14895 14780->14746 14787 4096ff 3 API calls 14780->14787 14781->14780 14783->14777 14785 40a00d 14783->14785 14789 40a02d lstrcatA 14785->14789 14786 40ee2a 14788 40a0ec lstrcatA 14786->14788 14787->14746 14788->14778 14790 40a046 14789->14790 14791 40a052 lstrcatA 14790->14791 14792 40a064 lstrcatA 14790->14792 14791->14792 14792->14777 14793 40a081 lstrcatA 14792->14793 14793->14777 14794->14679 14796 4096b9 14795->14796 15125 4073ff 14796->15125 14798 4096e2 14799 4096e9 14798->14799 14800 4096fa 14798->14800 15145 40704c 14799->15145 14800->14705 14800->14706 14802 4096f7 14802->14800 14804 406ed5 14803->14804 14805 406ecc 14803->14805 14804->14764 15170 406e36 GetUserNameW 14805->15170 14808 406784 CreateFileA 14807->14808 14809 40677a SetFileAttributesA 14807->14809 14810 4067a4 CreateFileA 14808->14810 14811 4067b5 14808->14811 14809->14808 14810->14811 14812 4067c5 14811->14812 14813 4067ba SetFileAttributesA 14811->14813 14814 406977 14812->14814 14815 4067cf GetFileSize 14812->14815 14813->14812 14814->14711 14832 406a60 CreateFileA 14814->14832 14816 4067e5 14815->14816 14830 406922 14815->14830 14818 4067ed ReadFile 14816->14818 14816->14830 14817 40696e CloseHandle 14817->14814 14819 406811 SetFilePointer 14818->14819 14818->14830 14820 40682a ReadFile 14819->14820 14819->14830 14821 406848 SetFilePointer 14820->14821 14820->14830 14825 406867 14821->14825 14821->14830 14822 406878 ReadFile 14823 4068d0 14822->14823 14822->14825 14823->14817 14824 40ebcc 3 API calls 14823->14824 14826 4068f8 14824->14826 14825->14822 14825->14823 14827 406900 SetFilePointer 14826->14827 14826->14830 14828 40695a 14827->14828 14829 40690d ReadFile 14827->14829 14831 40ec2e codecvt 4 API calls 14828->14831 14829->14828 14829->14830 14830->14817 14831->14830 14833 406b8c GetLastError 14832->14833 14834 406a8f GetDiskFreeSpaceA 14832->14834 14835 406b86 14833->14835 14836 406ac5 14834->14836 14843 406ad7 14834->14843 14835->14729 15173 40eb0e 14836->15173 14840 406b56 CloseHandle 14840->14835 14842 406b65 GetLastError CloseHandle 14840->14842 14841 406b36 GetLastError CloseHandle 14844 406b7f DeleteFileA 14841->14844 14842->14844 15177 406987 14843->15177 14844->14835 14846 4099eb 14845->14846 14847 409a2f lstrcatA 14846->14847 14848 40ee2a 14847->14848 14849 409a4b lstrcatA 14848->14849 14850 406a60 13 API calls 14849->14850 14851 409a60 14850->14851 14851->14734 14851->14749 14851->14766 15187 401910 14852->15187 14855 40934a GetModuleHandleA GetModuleFileNameA 14857 40937f 14855->14857 14858 4093a4 14857->14858 14859 4093d9 14857->14859 14860 4093c3 wsprintfA 14858->14860 14861 409401 wsprintfA 14859->14861 14863 409415 14860->14863 14861->14863 14862 4094a0 15189 406edd 14862->15189 14863->14862 14866 406cc9 5 API calls 14863->14866 14865 4094ac 14867 40962f 14865->14867 14868 4094e8 RegOpenKeyExA 14865->14868 14869 409439 14866->14869 14874 409646 14867->14874 15210 401820 14867->15210 14871 409502 14868->14871 14872 4094fb 14868->14872 14876 40ef1e lstrlenA 14869->14876 14875 40951f RegQueryValueExA 14871->14875 14872->14867 14877 40958a 14872->14877 14883 4095d6 14874->14883 15216 4091eb 14874->15216 14878 409530 14875->14878 14879 409539 14875->14879 14880 409462 14876->14880 14877->14874 14881 409593 14877->14881 14882 40956e RegCloseKey 14878->14882 14884 409556 RegQueryValueExA 14879->14884 14885 40947e wsprintfA 14880->14885 14881->14883 15197 40f0e4 14881->15197 14882->14872 14883->14769 14883->14770 14884->14878 14884->14882 14885->14862 14887 4095bb 14887->14883 15204 4018e0 14887->15204 14890 402544 14889->14890 14891 40972d RegOpenKeyExA 14890->14891 14892 409740 14891->14892 14893 409765 14891->14893 14894 40974f RegDeleteValueA RegCloseKey 14892->14894 14893->14746 14894->14893 14896 402554 lstrcatA 14895->14896 14896->14786 14898 402544 14897->14898 14899 40919e wsprintfA 14898->14899 14900 4091bb 14899->14900 15254 409064 GetTempPathA 14900->15254 14903 4091d5 ShellExecuteA 14904 4091e7 14903->14904 14904->14729 15261 40dd05 GetTickCount 14905->15261 14907 40e538 15268 40dbcf 14907->15268 14909 40e544 14910 40e555 GetFileSize 14909->14910 14914 40e5b8 14909->14914 14911 40e5b1 CloseHandle 14910->14911 14912 40e566 14910->14912 14911->14914 15278 40db2e 14912->15278 15287 40e3ca RegOpenKeyExA 14914->15287 14916 40e576 ReadFile 14916->14911 14918 40e58d 14916->14918 15282 40e332 14918->15282 14921 40e5f2 14922 40e3ca 17 API calls 14921->14922 14923 40e629 14921->14923 14922->14923 14923->14687 14925 40eabe 14924->14925 14926 40eaba 14924->14926 14925->14926 14927 40dd05 6 API calls 14925->14927 14926->14691 14927->14926 14929 40ee2a 14928->14929 14930 401db4 GetVersionExA 14929->14930 14931 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14930->14931 14933 401e24 14931->14933 14934 401e16 GetCurrentProcess 14931->14934 15341 40e819 14933->15341 14934->14933 14936 401e3d 14937 40e819 11 API calls 14936->14937 14938 401e4e 14937->14938 14939 401e77 14938->14939 15348 40df70 14938->15348 15357 40ea84 14939->15357 14942 401e6c 14944 40df70 12 API calls 14942->14944 14944->14939 14945 40e819 11 API calls 14946 401e93 14945->14946 15361 40199c inet_addr LoadLibraryA 14946->15361 14949 40e819 11 API calls 14950 401eb9 14949->14950 14951 401ed8 14950->14951 14952 40f04e 4 API calls 14950->14952 14953 40e819 11 API calls 14951->14953 14954 401ec9 14952->14954 14955 401eee 14953->14955 14956 40ea84 28 API calls 14954->14956 14957 401f0a 14955->14957 15371 401b71 14955->15371 14956->14951 14958 40e819 11 API calls 14957->14958 14961 401f23 14958->14961 14960 401efd 14962 40ea84 28 API calls 14960->14962 14963 401f3f 14961->14963 15375 401bdf 14961->15375 14962->14957 14965 40e819 11 API calls 14963->14965 14967 401f5e 14965->14967 14969 401f77 14967->14969 14971 40ea84 28 API calls 14967->14971 14968 40ea84 28 API calls 14968->14963 15382 4030b5 14969->15382 14971->14969 14973 406ec3 2 API calls 14975 401f8e GetTickCount 14973->14975 14975->14695 14977 406ec3 2 API calls 14976->14977 14978 4080eb 14977->14978 14979 4080f9 14978->14979 14980 4080ef 14978->14980 14982 40704c 16 API calls 14979->14982 15430 407ee6 14980->15430 14984 408110 14982->14984 14983 408269 CreateThread 15001 405e6c 14983->15001 15759 40877e 14983->15759 14986 408156 RegOpenKeyExA 14984->14986 14987 4080f4 14984->14987 14985 40675c 20 API calls 14991 408244 14985->14991 14986->14987 14988 40816d RegQueryValueExA 14986->14988 14987->14983 14987->14985 14989 4081f7 14988->14989 14990 40818d 14988->14990 14992 40820d RegCloseKey 14989->14992 14994 40ec2e codecvt 4 API calls 14989->14994 14990->14989 14995 40ebcc 3 API calls 14990->14995 14991->14983 14993 40ec2e codecvt 4 API calls 14991->14993 14992->14987 14993->14983 15000 4081dd 14994->15000 14996 4081a0 14995->14996 14996->14992 14997 4081aa RegQueryValueExA 14996->14997 14997->14989 14998 4081c4 14997->14998 14999 40ebcc 3 API calls 14998->14999 14999->15000 15000->14992 15498 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15001->15498 15003 405e71 15499 40e654 15003->15499 15005 405ec1 15006 403132 15005->15006 15007 40df70 12 API calls 15006->15007 15008 40313b 15007->15008 15009 40c125 15008->15009 15510 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15009->15510 15011 40c12d 15012 40e654 12 API calls 15011->15012 15013 40c2bd 15012->15013 15014 40e654 12 API calls 15013->15014 15015 40c2c9 15014->15015 15016 40e654 12 API calls 15015->15016 15017 40a47a 15016->15017 15018 408db1 15017->15018 15019 408dbc 15018->15019 15020 40e654 12 API calls 15019->15020 15021 408dec Sleep 15020->15021 15021->14731 15023 40c92f 15022->15023 15025 40c93c 15023->15025 15511 40c517 15023->15511 15026 40ca2b 15025->15026 15027 40e819 11 API calls 15025->15027 15026->14731 15028 40c96a 15027->15028 15029 40e819 11 API calls 15028->15029 15030 40c97d 15029->15030 15031 40e819 11 API calls 15030->15031 15032 40c990 15031->15032 15033 40c9aa 15032->15033 15034 40ebcc 3 API calls 15032->15034 15033->15026 15528 402684 15033->15528 15034->15033 15039 40ca26 15535 40c8aa 15039->15535 15042 40ca44 15043 40ca4b closesocket 15042->15043 15044 40ca83 15042->15044 15043->15039 15045 40ea84 28 API calls 15044->15045 15046 40caac 15045->15046 15047 40f04e 4 API calls 15046->15047 15048 40cab2 15047->15048 15049 40ea84 28 API calls 15048->15049 15050 40caca 15049->15050 15051 40ea84 28 API calls 15050->15051 15052 40cad9 15051->15052 15543 40c65c 15052->15543 15055 40cb60 closesocket 15055->15026 15057 40dad2 closesocket 15058 40e318 21 API calls 15057->15058 15058->15026 15059 40df4c 18 API calls 15106 40cb70 15059->15106 15064 40c65c send GetProcessHeap HeapSize GetProcessHeap 15064->15106 15066 40e654 12 API calls 15066->15106 15071 40ea84 28 API calls 15071->15106 15072 40d569 closesocket Sleep 15590 40e318 15072->15590 15073 40d815 wsprintfA 15073->15106 15074 40cc1c GetTempPathA 15074->15106 15075 40c517 22 API calls 15075->15106 15077 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15077->15106 15078 407ead 6 API calls 15078->15106 15079 40e8a1 28 API calls 15079->15106 15080 40d582 ExitProcess 15081 40cfe3 GetSystemDirectoryA 15081->15106 15082 40cfad GetEnvironmentVariableA 15082->15106 15083 40675c 20 API calls 15083->15106 15084 40d027 GetSystemDirectoryA 15084->15106 15085 40d105 lstrcatA 15085->15106 15086 40ef1e lstrlenA 15086->15106 15087 40cc9f CreateFileA 15089 40ccc6 WriteFile 15087->15089 15087->15106 15088 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15088->15106 15091 40cdcc CloseHandle 15089->15091 15092 40cced CloseHandle 15089->15092 15090 40d15b CreateFileA 15093 40d182 WriteFile CloseHandle 15090->15093 15090->15106 15091->15106 15099 40cd2f 15092->15099 15093->15106 15094 40cd16 wsprintfA 15094->15099 15095 40d149 SetFileAttributesA 15095->15090 15096 40d36e GetEnvironmentVariableA 15096->15106 15097 40d1bf SetFileAttributesA 15097->15106 15098 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15098->15106 15099->15094 15572 407fcf 15099->15572 15100 40d22d GetEnvironmentVariableA 15100->15106 15101 40d3af lstrcatA 15103 40d3f2 CreateFileA 15101->15103 15101->15106 15103->15106 15107 40d415 WriteFile CloseHandle 15103->15107 15105 407fcf 64 API calls 15105->15106 15106->15057 15106->15059 15106->15064 15106->15066 15106->15071 15106->15072 15106->15073 15106->15074 15106->15075 15106->15077 15106->15078 15106->15079 15106->15081 15106->15082 15106->15083 15106->15084 15106->15085 15106->15086 15106->15087 15106->15088 15106->15090 15106->15095 15106->15096 15106->15097 15106->15098 15106->15100 15106->15101 15106->15103 15106->15105 15112 40d3e0 SetFileAttributesA 15106->15112 15113 40d26e lstrcatA 15106->15113 15115 40d4b1 CreateProcessA 15106->15115 15116 40d2b1 CreateFileA 15106->15116 15118 40d452 SetFileAttributesA 15106->15118 15120 407ee6 64 API calls 15106->15120 15122 40d29f SetFileAttributesA 15106->15122 15124 40d31d SetFileAttributesA 15106->15124 15551 40c75d 15106->15551 15563 407e2f 15106->15563 15585 407ead 15106->15585 15595 4031d0 15106->15595 15612 403c09 15106->15612 15622 403a00 15106->15622 15626 40e7b4 15106->15626 15629 40c06c 15106->15629 15635 406f5f GetUserNameA 15106->15635 15646 40e854 15106->15646 15656 407dd6 15106->15656 15107->15106 15108 40cd81 WaitForSingleObject CloseHandle CloseHandle 15110 40f04e 4 API calls 15108->15110 15109 40cda5 15111 407ee6 64 API calls 15109->15111 15110->15109 15114 40cdbd DeleteFileA 15111->15114 15112->15103 15113->15106 15113->15116 15114->15106 15115->15106 15117 40d4e8 CloseHandle CloseHandle 15115->15117 15116->15106 15119 40d2d8 WriteFile CloseHandle 15116->15119 15117->15106 15118->15106 15119->15106 15120->15106 15122->15116 15124->15106 15126 40741b 15125->15126 15127 406dc2 6 API calls 15126->15127 15128 40743f 15127->15128 15129 407469 RegOpenKeyExA 15128->15129 15131 4077f9 15129->15131 15141 407487 ___ascii_stricmp 15129->15141 15130 407703 RegEnumKeyA 15132 407714 RegCloseKey 15130->15132 15130->15141 15131->14798 15132->15131 15133 40f1a5 lstrlenA 15133->15141 15134 4074d2 RegOpenKeyExA 15134->15141 15135 40772c 15137 407742 RegCloseKey 15135->15137 15138 40774b 15135->15138 15136 407521 RegQueryValueExA 15136->15141 15137->15138 15140 4077ec RegCloseKey 15138->15140 15139 4076e4 RegCloseKey 15139->15141 15140->15131 15141->15130 15141->15133 15141->15134 15141->15135 15141->15136 15141->15139 15143 40777e GetFileAttributesExA 15141->15143 15144 407769 15141->15144 15142 4077e3 RegCloseKey 15142->15140 15143->15144 15144->15142 15146 407073 15145->15146 15147 4070b9 RegOpenKeyExA 15146->15147 15148 4070d0 15147->15148 15162 4071b8 15147->15162 15149 406dc2 6 API calls 15148->15149 15152 4070d5 15149->15152 15150 40719b RegEnumValueA 15151 4071af RegCloseKey 15150->15151 15150->15152 15151->15162 15152->15150 15154 4071d0 15152->15154 15168 40f1a5 lstrlenA 15152->15168 15155 407205 RegCloseKey 15154->15155 15156 407227 15154->15156 15155->15162 15157 4072b8 ___ascii_stricmp 15156->15157 15158 40728e RegCloseKey 15156->15158 15159 4072cd RegCloseKey 15157->15159 15160 4072dd 15157->15160 15158->15162 15159->15162 15161 407311 RegCloseKey 15160->15161 15164 407335 15160->15164 15161->15162 15162->14802 15163 4073d5 RegCloseKey 15165 4073e4 15163->15165 15164->15163 15166 40737e GetFileAttributesExA 15164->15166 15167 407397 15164->15167 15166->15167 15167->15163 15169 40f1c3 15168->15169 15169->15152 15171 406e5f LookupAccountNameW 15170->15171 15172 406e97 15170->15172 15171->15172 15172->14804 15174 40eb17 15173->15174 15176 40eb21 15173->15176 15183 40eae4 15174->15183 15176->14843 15178 4069b9 WriteFile 15177->15178 15180 406a3c 15178->15180 15182 4069ff 15178->15182 15180->14840 15180->14841 15181 406a10 WriteFile 15181->15180 15181->15182 15182->15180 15182->15181 15184 40eb02 GetProcAddress 15183->15184 15185 40eaed LoadLibraryA 15183->15185 15184->15176 15185->15184 15186 40eb01 15185->15186 15186->15176 15188 401924 GetVersionExA 15187->15188 15188->14855 15190 406f55 15189->15190 15191 406eef AllocateAndInitializeSid 15189->15191 15190->14865 15192 406f44 15191->15192 15193 406f1c CheckTokenMembership 15191->15193 15192->15190 15196 406e36 2 API calls 15192->15196 15194 406f3b FreeSid 15193->15194 15195 406f2e 15193->15195 15194->15192 15195->15194 15196->15190 15198 40f0f1 15197->15198 15199 40f0ed 15197->15199 15200 40f119 15198->15200 15201 40f0fa lstrlenA SysAllocStringByteLen 15198->15201 15199->14887 15203 40f11c MultiByteToWideChar 15200->15203 15202 40f117 15201->15202 15201->15203 15202->14887 15203->15202 15205 401820 17 API calls 15204->15205 15206 4018f2 15205->15206 15207 4018f9 15206->15207 15221 401280 15206->15221 15207->14883 15209 401908 15209->14883 15233 401000 15210->15233 15212 401839 15213 401851 GetCurrentProcess 15212->15213 15214 40183d 15212->15214 15215 401864 15213->15215 15214->14874 15215->14874 15217 40920e 15216->15217 15220 409308 15216->15220 15218 4092f1 Sleep 15217->15218 15219 4092bf ShellExecuteA 15217->15219 15217->15220 15218->15217 15219->15217 15219->15220 15220->14883 15222 4012e1 15221->15222 15223 4016f9 GetLastError 15222->15223 15230 4013a8 15222->15230 15224 401699 15223->15224 15224->15209 15225 401570 lstrlenW 15225->15230 15226 4015be GetStartupInfoW 15226->15230 15227 4015ff CreateProcessWithLogonW 15228 4016bf GetLastError 15227->15228 15229 40163f WaitForSingleObject 15227->15229 15228->15224 15229->15230 15231 401659 CloseHandle 15229->15231 15230->15224 15230->15225 15230->15226 15230->15227 15232 401668 CloseHandle 15230->15232 15231->15230 15232->15230 15234 40100d LoadLibraryA 15233->15234 15244 401023 15233->15244 15235 401021 15234->15235 15234->15244 15235->15212 15236 4010b5 GetProcAddress 15237 4010d1 GetProcAddress 15236->15237 15238 40127b 15236->15238 15237->15238 15239 4010f0 GetProcAddress 15237->15239 15238->15212 15239->15238 15240 401110 GetProcAddress 15239->15240 15240->15238 15241 401130 GetProcAddress 15240->15241 15241->15238 15242 40114f GetProcAddress 15241->15242 15242->15238 15243 40116f GetProcAddress 15242->15243 15243->15238 15245 40118f GetProcAddress 15243->15245 15244->15236 15253 4010ae 15244->15253 15245->15238 15246 4011ae GetProcAddress 15245->15246 15246->15238 15247 4011ce GetProcAddress 15246->15247 15247->15238 15248 4011ee GetProcAddress 15247->15248 15248->15238 15249 401209 GetProcAddress 15248->15249 15249->15238 15250 401225 GetProcAddress 15249->15250 15250->15238 15251 401241 GetProcAddress 15250->15251 15251->15238 15252 40125c GetProcAddress 15251->15252 15252->15238 15253->15212 15255 40908d 15254->15255 15256 4090e2 wsprintfA 15255->15256 15257 40ee2a 15256->15257 15258 4090fd CreateFileA 15257->15258 15259 40911a lstrlenA WriteFile CloseHandle 15258->15259 15260 40913f 15258->15260 15259->15260 15260->14903 15260->14904 15262 40dd41 InterlockedExchange 15261->15262 15263 40dd20 GetCurrentThreadId 15262->15263 15264 40dd4a 15262->15264 15265 40dd53 GetCurrentThreadId 15263->15265 15266 40dd2e GetTickCount 15263->15266 15264->15265 15265->14907 15266->15264 15267 40dd39 Sleep 15266->15267 15267->15262 15269 40dbf0 15268->15269 15301 40db67 GetEnvironmentVariableA 15269->15301 15271 40dc19 15272 40dcda 15271->15272 15273 40db67 3 API calls 15271->15273 15272->14909 15274 40dc5c 15273->15274 15274->15272 15275 40db67 3 API calls 15274->15275 15276 40dc9b 15275->15276 15276->15272 15277 40db67 3 API calls 15276->15277 15277->15272 15279 40db3a 15278->15279 15281 40db55 15278->15281 15305 40ebed 15279->15305 15281->14911 15281->14916 15315 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15282->15315 15284 40e3be 15284->14911 15285 40e342 15285->15284 15318 40de24 15285->15318 15288 40e528 15287->15288 15289 40e3f4 15287->15289 15288->14921 15290 40e434 RegQueryValueExA 15289->15290 15291 40e51d RegCloseKey 15290->15291 15292 40e458 15290->15292 15291->15288 15293 40e46e RegQueryValueExA 15292->15293 15293->15292 15294 40e488 15293->15294 15294->15291 15295 40db2e 6 API calls 15294->15295 15296 40e499 15295->15296 15296->15291 15297 40e4b9 RegQueryValueExA 15296->15297 15298 40e4e8 15296->15298 15297->15296 15297->15298 15298->15291 15299 40e332 12 API calls 15298->15299 15300 40e513 15299->15300 15300->15291 15302 40db89 lstrcpyA CreateFileA 15301->15302 15303 40dbca 15301->15303 15302->15271 15303->15271 15306 40ec01 15305->15306 15307 40ebf6 15305->15307 15309 40eba0 codecvt 2 API calls 15306->15309 15308 40ebcc 3 API calls 15307->15308 15310 40ebfe 15308->15310 15311 40ec0a GetProcessHeap 15309->15311 15310->15281 15312 40ec20 15311->15312 15313 40eb74 2 API calls 15312->15313 15314 40ec28 15313->15314 15314->15281 15329 40eb41 15315->15329 15319 40de3a 15318->15319 15322 40de4e 15319->15322 15333 40dd84 15319->15333 15322->15285 15323 40ebed 6 API calls 15327 40def6 15323->15327 15324 40de9e 15324->15322 15324->15323 15325 40de76 15337 40ddcf 15325->15337 15327->15322 15328 40ddcf lstrcmpA 15327->15328 15328->15322 15330 40eb54 15329->15330 15331 40eb4a 15329->15331 15330->15285 15332 40eae4 2 API calls 15331->15332 15332->15330 15334 40ddc5 15333->15334 15335 40dd96 15333->15335 15334->15324 15334->15325 15335->15334 15336 40ddad lstrcmpiA 15335->15336 15336->15334 15336->15335 15338 40dddd 15337->15338 15340 40de20 15337->15340 15339 40ddfa lstrcmpA 15338->15339 15338->15340 15339->15338 15340->15322 15342 40dd05 6 API calls 15341->15342 15343 40e821 15342->15343 15344 40dd84 lstrcmpiA 15343->15344 15345 40e82c 15344->15345 15347 40e844 15345->15347 15386 402480 15345->15386 15347->14936 15349 40dd05 6 API calls 15348->15349 15350 40df7c 15349->15350 15351 40dd84 lstrcmpiA 15350->15351 15355 40df89 15351->15355 15352 40dfc4 15352->14942 15353 40ddcf lstrcmpA 15353->15355 15354 40ec2e codecvt 4 API calls 15354->15355 15355->15352 15355->15353 15355->15354 15356 40dd84 lstrcmpiA 15355->15356 15356->15355 15358 40ea98 15357->15358 15395 40e8a1 15358->15395 15360 401e84 15360->14945 15362 4019d5 GetProcAddress GetProcAddress GetProcAddress 15361->15362 15365 4019ce 15361->15365 15363 401ab3 FreeLibrary 15362->15363 15364 401a04 15362->15364 15363->15365 15364->15363 15366 401a14 GetProcessHeap 15364->15366 15365->14949 15366->15365 15369 401a2e 15366->15369 15368 401aa1 FreeLibrary 15368->15365 15369->15365 15369->15368 15370 401a96 HeapFree 15369->15370 15370->15368 15423 401ac3 LoadLibraryA 15371->15423 15374 401bcf 15374->14960 15376 401ac3 10 API calls 15375->15376 15377 401c09 15376->15377 15378 401c41 15377->15378 15379 401c0d GetComputerNameA 15377->15379 15378->14968 15380 401c45 GetVolumeInformationA 15379->15380 15381 401c1f 15379->15381 15380->15378 15381->15378 15381->15380 15383 40ee2a 15382->15383 15384 4030d0 gethostname gethostbyname 15383->15384 15385 401f82 15384->15385 15385->14973 15385->14975 15389 402419 lstrlenA 15386->15389 15388 402491 15388->15347 15390 40243d lstrlenA 15389->15390 15393 402474 15389->15393 15391 402464 lstrlenA 15390->15391 15392 40244e lstrcmpiA 15390->15392 15391->15390 15391->15393 15392->15391 15394 40245c 15392->15394 15393->15388 15394->15391 15394->15393 15396 40dd05 6 API calls 15395->15396 15397 40e8b4 15396->15397 15398 40dd84 lstrcmpiA 15397->15398 15399 40e8c0 15398->15399 15400 40e90a 15399->15400 15401 40e8c8 lstrcpynA 15399->15401 15402 402419 4 API calls 15400->15402 15412 40ea27 15400->15412 15403 40e8f5 15401->15403 15404 40e926 lstrlenA lstrlenA 15402->15404 15416 40df4c 15403->15416 15405 40e96a 15404->15405 15406 40e94c lstrlenA 15404->15406 15410 40ebcc 3 API calls 15405->15410 15405->15412 15406->15405 15408 40e901 15409 40dd84 lstrcmpiA 15408->15409 15409->15400 15411 40e98f 15410->15411 15411->15412 15413 40df4c 18 API calls 15411->15413 15412->15360 15414 40ea1e 15413->15414 15415 40ec2e codecvt 4 API calls 15414->15415 15415->15412 15417 40dd05 6 API calls 15416->15417 15418 40df51 15417->15418 15419 40f04e 4 API calls 15418->15419 15420 40df58 15419->15420 15421 40de24 8 API calls 15420->15421 15422 40df63 15421->15422 15422->15408 15424 401ae2 GetProcAddress 15423->15424 15429 401b68 GetComputerNameA GetVolumeInformationA 15423->15429 15425 401af5 15424->15425 15424->15429 15426 40ebed 6 API calls 15425->15426 15427 401b29 15425->15427 15426->15425 15427->15427 15428 40ec2e codecvt 4 API calls 15427->15428 15427->15429 15428->15429 15429->15374 15431 406ec3 2 API calls 15430->15431 15432 407ef4 15431->15432 15433 4073ff 17 API calls 15432->15433 15434 407fc9 15432->15434 15435 407f16 15433->15435 15434->14987 15435->15434 15443 407809 GetUserNameA 15435->15443 15437 407f63 15437->15434 15438 40ef1e lstrlenA 15437->15438 15439 407fa6 15438->15439 15440 40ef1e lstrlenA 15439->15440 15441 407fb7 15440->15441 15467 407a95 RegOpenKeyExA 15441->15467 15444 40783d LookupAccountNameA 15443->15444 15445 407a8d 15443->15445 15444->15445 15446 407874 GetLengthSid GetFileSecurityA 15444->15446 15445->15437 15446->15445 15447 4078a8 GetSecurityDescriptorOwner 15446->15447 15448 4078c5 EqualSid 15447->15448 15449 40791d GetSecurityDescriptorDacl 15447->15449 15448->15449 15450 4078dc LocalAlloc 15448->15450 15449->15445 15465 407941 15449->15465 15450->15449 15451 4078ef InitializeSecurityDescriptor 15450->15451 15452 407916 LocalFree 15451->15452 15453 4078fb SetSecurityDescriptorOwner 15451->15453 15452->15449 15453->15452 15455 40790b SetFileSecurityA 15453->15455 15454 40795b GetAce 15454->15465 15455->15452 15456 407980 EqualSid 15456->15465 15457 4079be EqualSid 15457->15465 15458 407a3d 15458->15445 15459 407a43 LocalAlloc 15458->15459 15459->15445 15461 407a56 InitializeSecurityDescriptor 15459->15461 15460 40799d DeleteAce 15460->15465 15462 407a62 SetSecurityDescriptorDacl 15461->15462 15463 407a86 LocalFree 15461->15463 15462->15463 15464 407a73 SetFileSecurityA 15462->15464 15463->15445 15464->15463 15466 407a83 15464->15466 15465->15445 15465->15454 15465->15456 15465->15457 15465->15458 15465->15460 15466->15463 15468 407ac4 15467->15468 15469 407acb GetUserNameA 15467->15469 15468->15434 15470 407da7 RegCloseKey 15469->15470 15471 407aed LookupAccountNameA 15469->15471 15470->15468 15471->15470 15472 407b24 RegGetKeySecurity 15471->15472 15472->15470 15473 407b49 GetSecurityDescriptorOwner 15472->15473 15474 407b63 EqualSid 15473->15474 15475 407bb8 GetSecurityDescriptorDacl 15473->15475 15474->15475 15477 407b74 LocalAlloc 15474->15477 15476 407da6 15475->15476 15484 407bdc 15475->15484 15476->15470 15477->15475 15478 407b8a InitializeSecurityDescriptor 15477->15478 15480 407bb1 LocalFree 15478->15480 15481 407b96 SetSecurityDescriptorOwner 15478->15481 15479 407bf8 GetAce 15479->15484 15480->15475 15481->15480 15482 407ba6 RegSetKeySecurity 15481->15482 15482->15480 15483 407c1d EqualSid 15483->15484 15484->15476 15484->15479 15484->15483 15485 407cd9 15484->15485 15486 407c5f EqualSid 15484->15486 15487 407c3a DeleteAce 15484->15487 15485->15476 15488 407d5a LocalAlloc 15485->15488 15489 407cf2 RegOpenKeyExA 15485->15489 15486->15484 15487->15484 15488->15476 15490 407d70 InitializeSecurityDescriptor 15488->15490 15489->15488 15495 407d0f 15489->15495 15491 407d7c SetSecurityDescriptorDacl 15490->15491 15492 407d9f LocalFree 15490->15492 15491->15492 15493 407d8c RegSetKeySecurity 15491->15493 15492->15476 15493->15492 15494 407d9c 15493->15494 15494->15492 15496 407d43 RegSetValueExA 15495->15496 15496->15488 15497 407d54 15496->15497 15497->15488 15498->15003 15500 40dd05 6 API calls 15499->15500 15503 40e65f 15500->15503 15501 40e6a5 15502 40ebcc 3 API calls 15501->15502 15507 40e6f5 15501->15507 15505 40e6b0 15502->15505 15503->15501 15504 40e68c lstrcmpA 15503->15504 15504->15503 15506 40e6e0 lstrcpynA 15505->15506 15505->15507 15509 40e6b7 15505->15509 15506->15507 15508 40e71d lstrcmpA 15507->15508 15507->15509 15508->15507 15509->15005 15510->15011 15513 40c525 15511->15513 15516 40c532 15511->15516 15512 40c548 15517 40e7ff lstrcmpiA 15512->15517 15524 40c54f 15512->15524 15515 40ec2e codecvt 4 API calls 15513->15515 15513->15516 15515->15516 15516->15512 15663 40e7ff 15516->15663 15518 40c615 15517->15518 15519 40ebcc 3 API calls 15518->15519 15518->15524 15519->15524 15520 40c5d1 15522 40ebcc 3 API calls 15520->15522 15522->15524 15523 40e819 11 API calls 15525 40c5b7 15523->15525 15524->15025 15526 40f04e 4 API calls 15525->15526 15527 40c5bf 15526->15527 15527->15512 15527->15520 15529 402692 inet_addr 15528->15529 15530 40268e 15528->15530 15529->15530 15531 40269e gethostbyname 15529->15531 15532 40f428 15530->15532 15531->15530 15666 40f315 15532->15666 15537 40c8d2 15535->15537 15536 40c907 15536->15026 15537->15536 15538 40c517 22 API calls 15537->15538 15538->15536 15539 40f43e 15540 40f473 recv 15539->15540 15541 40f458 15540->15541 15542 40f47c 15540->15542 15541->15540 15541->15542 15542->15042 15544 40c670 15543->15544 15545 40c67d 15543->15545 15546 40ebcc 3 API calls 15544->15546 15547 40ebcc 3 API calls 15545->15547 15549 40c699 15545->15549 15546->15545 15547->15549 15548 40c6f3 15548->15055 15548->15106 15549->15548 15550 40c73c send 15549->15550 15550->15548 15552 40c770 15551->15552 15553 40c77d 15551->15553 15554 40ebcc 3 API calls 15552->15554 15555 40c799 15553->15555 15557 40ebcc 3 API calls 15553->15557 15554->15553 15556 40c7b5 15555->15556 15558 40ebcc 3 API calls 15555->15558 15559 40f43e recv 15556->15559 15557->15555 15558->15556 15561 40c7cb 15559->15561 15560 40c7d3 15560->15106 15561->15560 15562 40f43e recv 15561->15562 15562->15560 15679 407db7 15563->15679 15566 407e70 15567 407e96 15566->15567 15569 40f04e 4 API calls 15566->15569 15567->15106 15568 40f04e 4 API calls 15570 407e4c 15568->15570 15569->15567 15570->15566 15571 40f04e 4 API calls 15570->15571 15571->15566 15573 406ec3 2 API calls 15572->15573 15574 407fdd 15573->15574 15575 4073ff 17 API calls 15574->15575 15584 4080c2 CreateProcessA 15574->15584 15576 407fff 15575->15576 15577 407809 21 API calls 15576->15577 15576->15584 15578 40804d 15577->15578 15579 40ef1e lstrlenA 15578->15579 15578->15584 15580 40809e 15579->15580 15581 40ef1e lstrlenA 15580->15581 15582 4080af 15581->15582 15583 407a95 24 API calls 15582->15583 15583->15584 15584->15108 15584->15109 15586 407db7 2 API calls 15585->15586 15587 407eb8 15586->15587 15588 40f04e 4 API calls 15587->15588 15589 407ece DeleteFileA 15588->15589 15589->15106 15591 40dd05 6 API calls 15590->15591 15592 40e31d 15591->15592 15683 40e177 15592->15683 15594 40e326 15594->15080 15596 4031f3 15595->15596 15598 4031ec 15595->15598 15597 40ebcc 3 API calls 15596->15597 15611 4031fc 15597->15611 15598->15106 15599 40344b 15600 403459 15599->15600 15601 40349d 15599->15601 15603 40f04e 4 API calls 15600->15603 15602 40ec2e codecvt 4 API calls 15601->15602 15602->15598 15604 40345f 15603->15604 15606 4030fa 4 API calls 15604->15606 15605 40ebcc GetProcessHeap HeapSize GetProcessHeap 15605->15611 15606->15598 15607 40344d 15608 40ec2e codecvt 4 API calls 15607->15608 15608->15599 15610 403141 lstrcmpiA 15610->15611 15611->15598 15611->15599 15611->15605 15611->15607 15611->15610 15709 4030fa GetTickCount 15611->15709 15613 4030fa 4 API calls 15612->15613 15614 403c1a 15613->15614 15618 403ce6 15614->15618 15714 403a72 15614->15714 15617 403a72 9 API calls 15621 403c5e 15617->15621 15618->15106 15619 403a72 9 API calls 15619->15621 15620 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15620->15621 15621->15618 15621->15619 15621->15620 15623 403a10 15622->15623 15624 4030fa 4 API calls 15623->15624 15625 403a1a 15624->15625 15625->15106 15627 40dd05 6 API calls 15626->15627 15628 40e7be 15627->15628 15628->15106 15630 40c105 15629->15630 15631 40c07e wsprintfA 15629->15631 15630->15106 15723 40bfce GetTickCount wsprintfA 15631->15723 15633 40c0ef 15724 40bfce GetTickCount wsprintfA 15633->15724 15636 407047 15635->15636 15637 406f88 LookupAccountNameA 15635->15637 15636->15106 15639 407025 15637->15639 15641 406fcb 15637->15641 15640 406edd 5 API calls 15639->15640 15642 40702a wsprintfA 15640->15642 15643 406fdb ConvertSidToStringSidA 15641->15643 15642->15636 15643->15639 15644 406ff1 15643->15644 15645 407013 LocalFree 15644->15645 15645->15639 15647 40dd05 6 API calls 15646->15647 15648 40e85c 15647->15648 15649 40dd84 lstrcmpiA 15648->15649 15650 40e867 15649->15650 15651 40e885 lstrcpyA 15650->15651 15725 4024a5 15650->15725 15728 40dd69 15651->15728 15657 407db7 2 API calls 15656->15657 15658 407de1 15657->15658 15659 40f04e 4 API calls 15658->15659 15662 407e16 15658->15662 15660 407df2 15659->15660 15661 40f04e 4 API calls 15660->15661 15660->15662 15661->15662 15662->15106 15664 40dd84 lstrcmpiA 15663->15664 15665 40c58e 15664->15665 15665->15512 15665->15520 15665->15523 15667 40ca1d 15666->15667 15668 40f33b 15666->15668 15667->15039 15667->15539 15669 40f347 htons socket 15668->15669 15670 40f382 ioctlsocket 15669->15670 15671 40f374 closesocket 15669->15671 15672 40f3aa connect select 15670->15672 15673 40f39d 15670->15673 15671->15667 15672->15667 15675 40f3f2 __WSAFDIsSet 15672->15675 15674 40f39f closesocket 15673->15674 15674->15667 15675->15674 15676 40f403 ioctlsocket 15675->15676 15678 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15676->15678 15678->15667 15680 407dc8 InterlockedExchange 15679->15680 15681 407dc0 Sleep 15680->15681 15682 407dd4 15680->15682 15681->15680 15682->15566 15682->15568 15684 40e184 15683->15684 15685 40e2e4 15684->15685 15686 40e223 15684->15686 15699 40dfe2 15684->15699 15685->15594 15686->15685 15688 40dfe2 6 API calls 15686->15688 15693 40e23c 15688->15693 15689 40e1be 15689->15686 15690 40dbcf 3 API calls 15689->15690 15692 40e1d6 15690->15692 15691 40e21a CloseHandle 15691->15686 15692->15686 15692->15691 15694 40e1f9 WriteFile 15692->15694 15693->15685 15703 40e095 RegCreateKeyExA 15693->15703 15694->15691 15696 40e213 15694->15696 15696->15691 15697 40e2a3 15697->15685 15698 40e095 4 API calls 15697->15698 15698->15685 15700 40dffc 15699->15700 15702 40e024 15699->15702 15701 40db2e 6 API calls 15700->15701 15700->15702 15701->15702 15702->15689 15704 40e172 15703->15704 15707 40e0c0 15703->15707 15704->15697 15705 40e13d 15706 40e14e RegDeleteValueA RegCloseKey 15705->15706 15706->15704 15707->15705 15708 40e115 RegSetValueExA 15707->15708 15708->15705 15708->15707 15710 403122 InterlockedExchange 15709->15710 15711 40312e 15710->15711 15712 40310f GetTickCount 15710->15712 15711->15611 15712->15711 15713 40311a Sleep 15712->15713 15713->15710 15715 40f04e 4 API calls 15714->15715 15722 403a83 15715->15722 15716 403ac1 15716->15617 15716->15618 15717 403be6 15720 40ec2e codecvt 4 API calls 15717->15720 15718 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15719 403bc0 15718->15719 15719->15717 15719->15718 15720->15716 15721 403b66 lstrlenA 15721->15716 15721->15722 15722->15716 15722->15719 15722->15721 15723->15633 15724->15630 15726 402419 4 API calls 15725->15726 15727 4024b6 15726->15727 15727->15651 15729 40dd79 lstrlenA 15728->15729 15729->15106 15731 404084 15730->15731 15732 40407d 15730->15732 15733 403ecd 6 API calls 15731->15733 15734 40408f 15733->15734 15735 404000 3 API calls 15734->15735 15737 404095 15735->15737 15736 404130 15738 403ecd 6 API calls 15736->15738 15737->15736 15742 403f18 4 API calls 15737->15742 15739 404159 CreateNamedPipeA 15738->15739 15740 404167 Sleep 15739->15740 15741 404188 ConnectNamedPipe 15739->15741 15740->15736 15743 404176 CloseHandle 15740->15743 15745 404195 GetLastError 15741->15745 15754 4041ab 15741->15754 15744 4040da 15742->15744 15743->15741 15746 403f8c 4 API calls 15744->15746 15747 40425e DisconnectNamedPipe 15745->15747 15745->15754 15748 4040ec 15746->15748 15747->15741 15749 404127 CloseHandle 15748->15749 15750 404101 15748->15750 15749->15736 15752 403f18 4 API calls 15750->15752 15751 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15751->15754 15753 40411c ExitProcess 15752->15753 15754->15741 15754->15747 15754->15751 15755 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15754->15755 15756 40426a CloseHandle CloseHandle 15754->15756 15755->15754 15757 40e318 21 API calls 15756->15757 15758 40427b 15757->15758 15758->15758 15760 408791 15759->15760 15761 40879f 15759->15761 15762 40f04e 4 API calls 15760->15762 15763 4087bc 15761->15763 15765 40f04e 4 API calls 15761->15765 15762->15761 15764 40e819 11 API calls 15763->15764 15766 4087d7 15764->15766 15765->15763 15779 408803 15766->15779 15781 4026b2 gethostbyaddr 15766->15781 15769 4087eb 15771 40e8a1 28 API calls 15769->15771 15769->15779 15771->15779 15774 40e819 11 API calls 15774->15779 15775 4088a0 Sleep 15775->15779 15777 4026b2 2 API calls 15777->15779 15778 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15778->15779 15779->15774 15779->15775 15779->15777 15779->15778 15780 40e8a1 28 API calls 15779->15780 15786 408cee 15779->15786 15794 40c4d6 15779->15794 15797 40c4e2 15779->15797 15800 402011 15779->15800 15835 408328 15779->15835 15780->15779 15782 4026fb 15781->15782 15783 4026cd 15781->15783 15782->15769 15784 4026e1 inet_ntoa 15783->15784 15785 4026de 15783->15785 15784->15785 15785->15769 15787 408d02 GetTickCount 15786->15787 15788 408dae 15786->15788 15787->15788 15792 408d19 15787->15792 15788->15779 15789 408da1 GetTickCount 15789->15788 15792->15789 15793 408d89 15792->15793 15887 40a677 15792->15887 15890 40a688 15792->15890 15793->15789 15898 40c2dc 15794->15898 15798 40c2dc 138 API calls 15797->15798 15799 40c4ec 15798->15799 15799->15779 15801 402020 15800->15801 15802 40202e 15800->15802 15803 40f04e 4 API calls 15801->15803 15804 40f04e 4 API calls 15802->15804 15807 40204b 15802->15807 15803->15802 15804->15807 15805 40206e GetTickCount 15806 4020db GetTickCount 15805->15806 15817 402090 15805->15817 15811 402132 GetTickCount GetTickCount 15806->15811 15819 4020e7 15806->15819 15807->15805 15808 40f04e 4 API calls 15807->15808 15809 402068 15808->15809 15809->15805 15810 4020d4 GetTickCount 15810->15806 15813 40f04e 4 API calls 15811->15813 15812 40212b GetTickCount 15812->15811 15815 402159 15813->15815 15814 402684 2 API calls 15814->15817 15818 4021b4 15815->15818 15821 40e854 13 API calls 15815->15821 15817->15810 15817->15814 15825 4020ce 15817->15825 16225 401978 15817->16225 15820 40f04e 4 API calls 15818->15820 15819->15812 15827 401978 15 API calls 15819->15827 15828 402125 15819->15828 16230 402ef8 15819->16230 15824 4021d1 15820->15824 15822 40218e 15821->15822 15826 40e819 11 API calls 15822->15826 15829 4021f2 15824->15829 15831 40ea84 28 API calls 15824->15831 15825->15810 15830 40219c 15826->15830 15827->15819 15828->15812 15829->15779 15830->15818 16238 401c5f 15830->16238 15832 4021ec 15831->15832 15833 40f04e 4 API calls 15832->15833 15833->15829 15836 407dd6 6 API calls 15835->15836 15837 40833c 15836->15837 15838 408340 15837->15838 15839 406ec3 2 API calls 15837->15839 15838->15779 15840 40834f 15839->15840 15841 40835c 15840->15841 15844 40846b 15840->15844 15842 4073ff 17 API calls 15841->15842 15861 408373 15842->15861 15843 40675c 20 API calls 15856 4085df 15843->15856 15846 4084a7 RegOpenKeyExA 15844->15846 15872 408450 15844->15872 15845 408626 GetTempPathA 15878 408638 15845->15878 15848 4084c0 RegQueryValueExA 15846->15848 15849 40852f 15846->15849 15851 408521 RegCloseKey 15848->15851 15852 4084dd 15848->15852 15854 408564 RegOpenKeyExA 15849->15854 15867 4085a5 15849->15867 15850 4086ad 15853 408762 15850->15853 15855 407e2f 6 API calls 15850->15855 15851->15849 15852->15851 15860 40ebcc 3 API calls 15852->15860 15853->15838 15859 40ec2e codecvt 4 API calls 15853->15859 15857 408573 RegSetValueExA RegCloseKey 15854->15857 15854->15867 15864 4086bb 15855->15864 15856->15845 15856->15853 15856->15878 15857->15867 15858 40875b DeleteFileA 15858->15853 15859->15838 15863 4084f0 15860->15863 15861->15838 15865 4083ea RegOpenKeyExA 15861->15865 15861->15872 15863->15851 15866 4084f8 RegQueryValueExA 15863->15866 15864->15858 15873 4086e0 lstrcpyA lstrlenA 15864->15873 15869 4083fd RegQueryValueExA 15865->15869 15865->15872 15866->15851 15870 408515 15866->15870 15868 40ec2e codecvt 4 API calls 15867->15868 15867->15872 15868->15872 15874 40842d RegSetValueExA 15869->15874 15875 40841e 15869->15875 15871 40ec2e codecvt 4 API calls 15870->15871 15876 40851d 15871->15876 15872->15843 15872->15856 15877 407fcf 64 API calls 15873->15877 15879 408447 RegCloseKey 15874->15879 15875->15874 15875->15879 15876->15851 15880 408719 CreateProcessA 15877->15880 16311 406ba7 IsBadCodePtr 15878->16311 15879->15872 15881 40873d CloseHandle CloseHandle 15880->15881 15882 40874f 15880->15882 15881->15853 15883 407ee6 64 API calls 15882->15883 15884 408754 15883->15884 15885 407ead 6 API calls 15884->15885 15886 40875a 15885->15886 15886->15858 15893 40a63d 15887->15893 15889 40a685 15889->15792 15891 40a63d GetTickCount 15890->15891 15892 40a696 15891->15892 15892->15792 15894 40a645 15893->15894 15895 40a64d 15893->15895 15894->15889 15896 40a66e 15895->15896 15897 40a65e GetTickCount 15895->15897 15896->15889 15897->15896 15914 40a4c7 GetTickCount 15898->15914 15901 40c45e 15906 40c4d2 15901->15906 15907 40c4ab InterlockedIncrement CreateThread 15901->15907 15902 40c300 GetTickCount 15904 40c337 15902->15904 15903 40c326 15903->15904 15905 40c32b GetTickCount 15903->15905 15904->15901 15909 40c363 GetTickCount 15904->15909 15905->15904 15906->15779 15907->15906 15908 40c4cb CloseHandle 15907->15908 15919 40b535 15907->15919 15908->15906 15909->15901 15910 40c373 15909->15910 15911 40c378 GetTickCount 15910->15911 15912 40c37f 15910->15912 15911->15912 15913 40c43b GetTickCount 15912->15913 15913->15901 15915 40a4f7 InterlockedExchange 15914->15915 15916 40a500 15915->15916 15917 40a4e4 GetTickCount 15915->15917 15916->15901 15916->15902 15916->15903 15917->15916 15918 40a4ef Sleep 15917->15918 15918->15915 15920 40b566 15919->15920 15921 40ebcc 3 API calls 15920->15921 15922 40b587 15921->15922 15923 40ebcc 3 API calls 15922->15923 15940 40b590 15923->15940 15924 40bdcd InterlockedDecrement 15925 40bde2 15924->15925 15927 40ec2e codecvt 4 API calls 15925->15927 15928 40bdea 15927->15928 15930 40ec2e codecvt 4 API calls 15928->15930 15929 40bdb7 Sleep 15929->15940 15931 40bdf2 15930->15931 15933 40be05 15931->15933 15934 40ec2e codecvt 4 API calls 15931->15934 15932 40bdcc 15932->15924 15934->15933 15935 40ebed 6 API calls 15935->15940 15938 40b6b6 lstrlenA 15938->15940 15939 4030b5 2 API calls 15939->15940 15940->15924 15940->15929 15940->15932 15940->15935 15940->15938 15940->15939 15941 40e819 11 API calls 15940->15941 15942 40b6ed lstrcpyA 15940->15942 15945 40b731 lstrlenA 15940->15945 15946 40b71f lstrcmpA 15940->15946 15947 40b772 GetTickCount 15940->15947 15948 40bd49 InterlockedIncrement 15940->15948 15951 40b7ce InterlockedIncrement 15940->15951 15952 40bc5b InterlockedIncrement 15940->15952 15955 40b912 GetTickCount 15940->15955 15956 40b932 GetTickCount 15940->15956 15957 40bcdc closesocket 15940->15957 15958 40b826 InterlockedIncrement 15940->15958 15960 405ce1 20 API calls 15940->15960 15961 4038f0 6 API calls 15940->15961 15964 40bba6 InterlockedIncrement 15940->15964 15966 40bc4c closesocket 15940->15966 15969 40ba71 wsprintfA 15940->15969 15971 40ab81 lstrcpynA InterlockedIncrement 15940->15971 15972 40a7c1 22 API calls 15940->15972 15973 40ef1e lstrlenA 15940->15973 15974 405ded 10 API calls 15940->15974 15975 40a688 GetTickCount 15940->15975 15976 403e10 15940->15976 15979 403e4f 15940->15979 15982 40384f 15940->15982 16002 40a7a3 inet_ntoa 15940->16002 16009 40abee 15940->16009 16021 401feb GetTickCount 15940->16021 16042 403cfb 15940->16042 16045 40b3c5 15940->16045 16076 40ab81 15940->16076 15941->15940 15994 405ce1 15942->15994 15945->15940 15946->15940 15946->15945 15947->15940 16088 40a628 15948->16088 16004 40acd7 15951->16004 15952->15940 15955->15940 15956->15940 15959 40bc6d InterlockedIncrement 15956->15959 15957->15940 15958->15947 15959->15940 15960->15940 15961->15940 15964->15940 15966->15940 16022 40a7c1 15969->16022 15971->15940 15972->15940 15973->15940 15974->15940 15975->15940 15977 4030fa 4 API calls 15976->15977 15978 403e1d 15977->15978 15978->15940 15980 4030fa 4 API calls 15979->15980 15981 403e5c 15980->15981 15981->15940 15983 4030fa 4 API calls 15982->15983 15984 403863 15983->15984 15985 4038b9 15984->15985 15986 403889 15984->15986 15993 4038b2 15984->15993 16097 4035f9 15985->16097 16091 403718 15986->16091 15991 403718 6 API calls 15991->15993 15992 4035f9 6 API calls 15992->15993 15993->15940 15995 405cf4 15994->15995 15996 405cec 15994->15996 15998 404bd1 4 API calls 15995->15998 16103 404bd1 GetTickCount 15996->16103 15999 405d02 15998->15999 16108 405472 15999->16108 16003 40a7b9 16002->16003 16003->15940 16005 40f315 14 API calls 16004->16005 16006 40aceb 16005->16006 16007 40acff 16006->16007 16008 40f315 14 API calls 16006->16008 16007->15940 16008->16007 16010 40abfb 16009->16010 16014 40ac65 16010->16014 16171 402f22 16010->16171 16012 40f315 14 API calls 16012->16014 16013 40ac23 16013->16014 16017 402684 2 API calls 16013->16017 16014->16012 16015 40ac6f 16014->16015 16020 40ac8a 16014->16020 16016 40ab81 2 API calls 16015->16016 16018 40ac81 16016->16018 16017->16013 16179 4038f0 16018->16179 16020->15940 16021->15940 16023 40a87d lstrlenA send 16022->16023 16024 40a7df 16022->16024 16025 40a899 16023->16025 16026 40a8bf 16023->16026 16024->16023 16031 40a7fa wsprintfA 16024->16031 16032 40a80a 16024->16032 16034 40a8f2 16024->16034 16029 40a8a5 wsprintfA 16025->16029 16041 40a89e 16025->16041 16027 40a8c4 send 16026->16027 16026->16034 16030 40a8d8 wsprintfA 16027->16030 16027->16034 16028 40a978 recv 16028->16034 16035 40a982 16028->16035 16029->16041 16030->16041 16031->16032 16032->16023 16033 40a9b0 wsprintfA 16033->16041 16034->16028 16034->16033 16034->16035 16036 4030b5 2 API calls 16035->16036 16035->16041 16037 40ab05 16036->16037 16038 40e819 11 API calls 16037->16038 16039 40ab17 16038->16039 16040 40a7a3 inet_ntoa 16039->16040 16040->16041 16041->15940 16043 4030fa 4 API calls 16042->16043 16044 403d0b 16043->16044 16044->15940 16046 405ce1 20 API calls 16045->16046 16047 40b3e6 16046->16047 16048 405ce1 20 API calls 16047->16048 16049 40b404 16048->16049 16051 40ef7c 3 API calls 16049->16051 16057 40b440 16049->16057 16050 40ef7c 3 API calls 16052 40b458 wsprintfA 16050->16052 16053 40b42b 16051->16053 16054 40ef7c 3 API calls 16052->16054 16055 40ef7c 3 API calls 16053->16055 16056 40b480 16054->16056 16055->16057 16058 40ef7c 3 API calls 16056->16058 16057->16050 16059 40b493 16058->16059 16060 40ef7c 3 API calls 16059->16060 16061 40b4bb 16060->16061 16193 40ad89 GetLocalTime SystemTimeToFileTime 16061->16193 16065 40b4cc 16066 40ef7c 3 API calls 16065->16066 16067 40b4dd 16066->16067 16068 40b211 7 API calls 16067->16068 16069 40b4ec 16068->16069 16070 40ef7c 3 API calls 16069->16070 16071 40b4fd 16070->16071 16072 40b211 7 API calls 16071->16072 16073 40b509 16072->16073 16074 40ef7c 3 API calls 16073->16074 16075 40b51a 16074->16075 16075->15940 16077 40ab8c 16076->16077 16079 40abe9 GetTickCount 16076->16079 16078 40aba8 lstrcpynA 16077->16078 16077->16079 16080 40abe1 InterlockedIncrement 16077->16080 16078->16077 16081 40a51d 16079->16081 16080->16077 16082 40a4c7 4 API calls 16081->16082 16083 40a52c 16082->16083 16084 40a542 GetTickCount 16083->16084 16086 40a539 GetTickCount 16083->16086 16084->16086 16087 40a56c 16086->16087 16087->15940 16089 40a4c7 4 API calls 16088->16089 16090 40a633 16089->16090 16090->15940 16092 40f04e 4 API calls 16091->16092 16094 40372a 16092->16094 16093 403847 16093->15991 16093->15993 16094->16093 16095 4037b3 GetCurrentThreadId 16094->16095 16095->16094 16096 4037c8 GetCurrentThreadId 16095->16096 16096->16094 16098 40f04e 4 API calls 16097->16098 16101 40360c 16098->16101 16099 4036f1 16099->15992 16099->15993 16100 4036da GetCurrentThreadId 16100->16099 16102 4036e5 GetCurrentThreadId 16100->16102 16101->16099 16101->16100 16102->16099 16104 404bff InterlockedExchange 16103->16104 16105 404c08 16104->16105 16106 404bec GetTickCount 16104->16106 16105->15995 16106->16105 16107 404bf7 Sleep 16106->16107 16107->16104 16127 404763 16108->16127 16110 405b58 16137 404699 16110->16137 16113 404763 lstrlenA 16114 405b6e 16113->16114 16158 404f9f 16114->16158 16116 405b79 16116->15940 16118 405549 lstrlenA 16125 40548a 16118->16125 16120 40558d lstrcpynA 16120->16125 16121 405a9f lstrcpyA 16121->16125 16122 405935 lstrcpynA 16122->16125 16123 405472 11 API calls 16123->16125 16124 4058e7 lstrcpyA 16124->16125 16125->16110 16125->16120 16125->16121 16125->16122 16125->16123 16125->16124 16126 404ae6 6 API calls 16125->16126 16131 404ae6 16125->16131 16135 40ef7c lstrlenA lstrlenA lstrlenA 16125->16135 16126->16125 16129 40477a 16127->16129 16128 404859 16128->16125 16129->16128 16130 40480d lstrlenA 16129->16130 16130->16129 16132 404af3 16131->16132 16134 404b03 16131->16134 16133 40ebed 6 API calls 16132->16133 16133->16134 16134->16118 16136 40efb4 16135->16136 16136->16125 16163 4045b3 16137->16163 16140 4045b3 6 API calls 16141 4046c6 16140->16141 16142 4045b3 6 API calls 16141->16142 16143 4046d8 16142->16143 16144 4045b3 6 API calls 16143->16144 16145 4046ea 16144->16145 16146 4045b3 6 API calls 16145->16146 16147 4046ff 16146->16147 16148 4045b3 6 API calls 16147->16148 16149 404711 16148->16149 16150 4045b3 6 API calls 16149->16150 16151 404723 16150->16151 16152 40ef7c 3 API calls 16151->16152 16153 404735 16152->16153 16154 40ef7c 3 API calls 16153->16154 16155 40474a 16154->16155 16156 40ef7c 3 API calls 16155->16156 16157 40475c 16156->16157 16157->16113 16159 404fac 16158->16159 16161 404fb0 16158->16161 16159->16116 16160 404ffd 16160->16116 16161->16160 16162 404fd5 IsBadCodePtr 16161->16162 16162->16161 16164 4045c1 16163->16164 16165 4045c8 16163->16165 16166 40ebcc 3 API calls 16164->16166 16167 40ebcc 3 API calls 16165->16167 16169 4045e1 16165->16169 16166->16165 16167->16169 16168 404691 16168->16140 16169->16168 16170 40ef7c 3 API calls 16169->16170 16170->16169 16186 402d21 GetModuleHandleA 16171->16186 16174 402fcf GetProcessHeap HeapFree 16178 402f44 16174->16178 16175 402f4f 16177 402f6b GetProcessHeap HeapFree 16175->16177 16176 402f85 16176->16174 16176->16176 16177->16178 16178->16013 16180 403900 16179->16180 16181 403980 16179->16181 16182 4030fa 4 API calls 16180->16182 16181->16020 16184 40390a 16182->16184 16183 40391b GetCurrentThreadId 16183->16184 16184->16181 16184->16183 16185 403939 GetCurrentThreadId 16184->16185 16185->16184 16187 402d46 LoadLibraryA 16186->16187 16188 402d5b GetProcAddress 16186->16188 16187->16188 16190 402d54 16187->16190 16188->16190 16192 402d6b 16188->16192 16189 402d97 GetProcessHeap 16189->16192 16190->16175 16190->16176 16190->16178 16191 402db5 lstrcpynA 16191->16192 16192->16189 16192->16190 16192->16191 16194 40adbf 16193->16194 16218 40ad08 gethostname 16194->16218 16197 4030b5 2 API calls 16198 40add3 16197->16198 16199 40a7a3 inet_ntoa 16198->16199 16201 40ade4 16198->16201 16199->16201 16200 40ae85 wsprintfA 16202 40ef7c 3 API calls 16200->16202 16201->16200 16204 40ae36 wsprintfA wsprintfA 16201->16204 16203 40aebb 16202->16203 16205 40ef7c 3 API calls 16203->16205 16206 40ef7c 3 API calls 16204->16206 16207 40aed2 16205->16207 16206->16201 16208 40b211 16207->16208 16209 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16208->16209 16210 40b2af GetLocalTime 16208->16210 16211 40b2d2 16209->16211 16210->16211 16212 40b2d9 SystemTimeToFileTime 16211->16212 16213 40b31c GetTimeZoneInformation 16211->16213 16214 40b2ec 16212->16214 16215 40b33a wsprintfA 16213->16215 16216 40b312 FileTimeToSystemTime 16214->16216 16215->16065 16216->16213 16219 40ad71 16218->16219 16223 40ad26 lstrlenA 16218->16223 16220 40ad85 16219->16220 16221 40ad79 lstrcpyA 16219->16221 16220->16197 16221->16220 16223->16219 16224 40ad68 lstrlenA 16223->16224 16224->16219 16226 40f428 14 API calls 16225->16226 16227 40198a 16226->16227 16228 401990 closesocket 16227->16228 16229 401998 16227->16229 16228->16229 16229->15817 16231 402d21 5 API calls 16230->16231 16232 402f01 16231->16232 16233 402f0f 16232->16233 16246 402df2 GetModuleHandleA 16232->16246 16235 402684 2 API calls 16233->16235 16237 402f1f 16233->16237 16236 402f1d 16235->16236 16236->15819 16237->15819 16239 401c80 16238->16239 16240 401d1c 16239->16240 16241 401cc2 wsprintfA 16239->16241 16244 401d79 16239->16244 16240->16240 16243 401d47 wsprintfA 16240->16243 16242 402684 2 API calls 16241->16242 16242->16239 16245 402684 2 API calls 16243->16245 16244->15818 16245->16244 16247 402e10 LoadLibraryA 16246->16247 16248 402e0b 16246->16248 16249 402e17 16247->16249 16248->16247 16248->16249 16250 402ef1 16249->16250 16251 402e28 GetProcAddress 16249->16251 16250->16233 16251->16250 16252 402e3e GetProcessHeap 16251->16252 16256 402e55 16252->16256 16253 402ede GetProcessHeap HeapFree 16253->16250 16254 402e7f htons inet_addr 16255 402ea5 gethostbyname 16254->16255 16254->16256 16255->16256 16256->16250 16256->16253 16256->16254 16256->16255 16258 402ceb 16256->16258 16259 402cf2 16258->16259 16261 402d1c 16259->16261 16262 402d0e Sleep 16259->16262 16263 402a62 GetProcessHeap 16259->16263 16261->16256 16262->16259 16262->16261 16264 402a8c 16263->16264 16265 402a92 16264->16265 16266 402a99 socket 16264->16266 16265->16259 16267 402cd3 GetProcessHeap HeapFree 16266->16267 16268 402ab4 16266->16268 16267->16265 16268->16267 16272 402abd 16268->16272 16269 402adb htons 16284 4026ff 16269->16284 16271 402b04 select 16271->16272 16272->16269 16272->16271 16273 402cb3 GetProcessHeap HeapFree closesocket 16272->16273 16274 402b3f recv 16272->16274 16275 402b66 htons 16272->16275 16276 402ca4 16272->16276 16277 402b87 htons 16272->16277 16280 402bf3 GetProcessHeap 16272->16280 16281 402c17 htons 16272->16281 16283 402c4d GetProcessHeap HeapFree 16272->16283 16291 402923 16272->16291 16303 402904 16272->16303 16273->16265 16274->16272 16275->16272 16275->16276 16276->16273 16277->16272 16277->16276 16280->16272 16299 402871 16281->16299 16283->16272 16285 40271d 16284->16285 16286 402717 16284->16286 16288 40272b GetTickCount htons 16285->16288 16287 40ebcc 3 API calls 16286->16287 16287->16285 16289 4027cc htons htons sendto 16288->16289 16290 40278a 16288->16290 16289->16272 16290->16289 16292 402944 16291->16292 16294 40293d 16291->16294 16307 402816 htons 16292->16307 16294->16272 16295 402950 16295->16294 16296 402871 htons 16295->16296 16297 4029bd htons htons htons 16295->16297 16296->16295 16297->16294 16298 4029f6 GetProcessHeap 16297->16298 16298->16295 16300 4028e3 16299->16300 16302 402889 16299->16302 16300->16272 16301 4028c3 htons 16301->16300 16301->16302 16302->16300 16302->16301 16304 402921 16303->16304 16305 402908 16303->16305 16304->16272 16306 402909 GetProcessHeap HeapFree 16305->16306 16306->16304 16306->16306 16308 40286b 16307->16308 16309 402836 16307->16309 16308->16295 16309->16308 16310 40285c htons 16309->16310 16310->16308 16310->16309 16312 406bc0 16311->16312 16313 406bbc 16311->16313 16314 406bd4 16312->16314 16315 40ebcc 3 API calls 16312->16315 16313->15850 16314->15850 16316 406be4 16315->16316 16316->16314 16317 406c07 CreateFileA 16316->16317 16318 406bfc 16316->16318 16319 406c34 WriteFile 16317->16319 16320 406c2a 16317->16320 16321 40ec2e codecvt 4 API calls 16318->16321 16323 406c49 CloseHandle DeleteFileA 16319->16323 16324 406c5a CloseHandle 16319->16324 16322 40ec2e codecvt 4 API calls 16320->16322 16321->16314 16322->16314 16323->16320 16325 40ec2e codecvt 4 API calls 16324->16325 16325->16314 14517 740005 14522 74092b GetPEB 14517->14522 14519 740030 14524 74003c 14519->14524 14523 740972 14522->14523 14523->14519 14525 740049 14524->14525 14539 740e0f SetErrorMode SetErrorMode 14525->14539 14530 740265 14531 7402ce VirtualProtect 14530->14531 14533 74030b 14531->14533 14532 740439 VirtualFree 14537 7404be 14532->14537 14538 7405f4 LoadLibraryA 14532->14538 14533->14532 14534 7404e3 LoadLibraryA 14534->14537 14536 7408c7 14537->14534 14537->14538 14538->14536 14540 740223 14539->14540 14541 740d90 14540->14541 14542 740dad 14541->14542 14543 740dbb GetPEB 14542->14543 14544 740238 VirtualAlloc 14542->14544 14543->14544 14544->14530 16326 61d21c 16329 61d22a 16326->16329 16330 61d239 16329->16330 16333 61d9ca 16330->16333 16336 61d9e5 16333->16336 16334 61d9ee CreateToolhelp32Snapshot 16335 61da0a Module32First 16334->16335 16334->16336 16337 61d229 16335->16337 16338 61da19 16335->16338 16336->16334 16336->16335 16340 61d689 16338->16340 16341 61d6b4 16340->16341 16342 61d6fd 16341->16342 16343 61d6c5 VirtualAlloc 16341->16343 16342->16342 16343->16342 14668 404ed3 14673 404c9a 14668->14673 14670 404edb 14671 404eea 14670->14671 14672 401940 GetProcessHeap HeapSize GetProcessHeap HeapFree 14670->14672 14672->14671 14674 404cd8 14673->14674 14676 404ca9 14673->14676 14675 40ec2e codecvt 4 API calls 14675->14674 14676->14675

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 00409A6B Relevance: 102.3, APIs: 48, Strings: 10, Instructions: 799stringsleepregistryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                                                                                                  • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                                                                                  • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                                                                                  • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                                                                                                • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                                                                                                • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                                                                                                • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                                                                                                • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                                                                                                • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                                                                                                • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                                                                                                • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                                                                                                • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                                                                                                • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040A0B6
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                                                                                                • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                                                                                                • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                                                                                                  • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                                                                                                  • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                                                                                                  • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                                                                                                • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                                                                                                • DeleteFileA.KERNEL32(C:\Users\user\Desktop\file.exe), ref: 0040A407
                                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                                                                                                                • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                                                                                                                • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                                                                                                • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                                                                                                • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\file.exe$C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe$D$P$\$ptlohvde
                                                                                                                                                                                • API String ID: 2089075347-2447701589
                                                                                                                                                                                • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                                                                                                                • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                                                                                                                • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                                                                                                                • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 486 40637c-406384 487 406386-406389 486->487 488 40638a-4063b4 GetModuleHandleA VirtualAlloc 486->488 489 4063f5-4063f7 488->489 490 4063b6-4063d4 call 40ee08 VirtualAllocEx 488->490 492 40640b-40640f 489->492 490->489 494 4063d6-4063f3 call 4062b7 WriteProcessMemory 490->494 494->489 497 4063f9-40640a 494->497 497->492
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                                                                                                                • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                                                                                                • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1965334864-0
                                                                                                                                                                                • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                                                                                                • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                                                                                                • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                                                                                                • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004073FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 306 4076df-4076e2 297->306 307 407742-407745 RegCloseKey 298->307 308 40774b-40774e 298->308 309 40753f-407544 305->309 306->291 310 4076e4-4076e7 RegCloseKey 306->310 307->308 312 4077ec-4077f7 RegCloseKey 308->312 309->309 311 407546-40754b 309->311 310->291 311->297 313 407551-40756b call 40ee95 311->313 312->287 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->312 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->306 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 381 4077e0-4077e2 379->381 382 4077de 379->382 380->379 381->359 382->381
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,761311B0,00000000), ref: 00407472
                                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,761311B0,00000000), ref: 004074F0
                                                                                                                                                                                • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,761311B0,00000000), ref: 00407528
                                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,761311B0,00000000), ref: 004076E7
                                                                                                                                                                                • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,761311B0,00000000), ref: 00407717
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,761311B0,00000000), ref: 00407745
                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,761311B0,00000000), ref: 004077EF
                                                                                                                                                                                  • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                                                                                • String ID: "
                                                                                                                                                                                • API String ID: 3433985886-123907689
                                                                                                                                                                                • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                                                                                                • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                                                                                                • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                                                                                                • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 386 74003c-740047 387 74004c-740263 call 740a3f call 740e0f call 740d90 VirtualAlloc 386->387 388 740049 386->388 403 740265-740289 call 740a69 387->403 404 74028b-740292 387->404 388->387 409 7402ce-7403c2 VirtualProtect call 740cce call 740ce7 403->409 406 7402a1-7402b0 404->406 408 7402b2-7402cc 406->408 406->409 408->406 415 7403d1-7403e0 409->415 416 7403e2-740437 call 740ce7 415->416 417 740439-7404b8 VirtualFree 415->417 416->415 419 7405f4-7405fe 417->419 420 7404be-7404cd 417->420 423 740604-74060d 419->423 424 74077f-740789 419->424 422 7404d3-7404dd 420->422 422->419 428 7404e3-740505 LoadLibraryA 422->428 423->424 429 740613-740637 423->429 426 7407a6-7407b0 424->426 427 74078b-7407a3 424->427 430 7407b6-7407cb 426->430 431 74086e-7408be LoadLibraryA 426->431 427->426 432 740517-740520 428->432 433 740507-740515 428->433 434 74063e-740648 429->434 435 7407d2-7407d5 430->435 438 7408c7-7408f9 431->438 436 740526-740547 432->436 433->436 434->424 437 74064e-74065a 434->437 439 740824-740833 435->439 440 7407d7-7407e0 435->440 441 74054d-740550 436->441 437->424 442 740660-74066a 437->442 443 740902-74091d 438->443 444 7408fb-740901 438->444 450 740839-74083c 439->450 445 7407e4-740822 440->445 446 7407e2 440->446 447 740556-74056b 441->447 448 7405e0-7405ef 441->448 449 74067a-740689 442->449 444->443 445->435 446->439 454 74056d 447->454 455 74056f-74057a 447->455 448->422 451 740750-74077a 449->451 452 74068f-7406b2 449->452 450->431 453 74083e-740847 450->453 451->434 458 7406b4-7406ed 452->458 459 7406ef-7406fc 452->459 460 740849 453->460 461 74084b-74086c 453->461 454->448 456 74057c-740599 455->456 457 74059b-7405bb 455->457 469 7405bd-7405db 456->469 457->469 458->459 463 7406fe-740748 459->463 464 74074b 459->464 460->431 461->450 463->464 464->449 469->441
                                                                                                                                                                                APIs
                                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0074024D
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                • String ID: cess$kernel32.dll
                                                                                                                                                                                • API String ID: 4275171209-1230238691
                                                                                                                                                                                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                • Instruction ID: 4e37773463db04960ea610d5de5676e08d2a9b3ebfc9bb26bbd888d8c2496cbd
                                                                                                                                                                                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                • Instruction Fuzzy Hash: A2527874A00229DFDB64CF68C984BA8BBB1BF09304F1480D9E90DAB251DB34AE94DF55
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadprocessinjectionCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 470 40977c-4097b9 call 40ee2a CreateProcessA 473 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 470->473 474 4097bb-4097bd 470->474 478 409801-40981c call 40637c 473->478 479 4097f5 473->479 475 409864-409866 474->475 480 4097f6-4097ff TerminateProcess 478->480 483 40981e-409839 WriteProcessMemory 478->483 479->480 480->474 483->479 484 40983b-409856 Wow64SetThreadContext 483->484 484->479 485 409858-409863 ResumeThread 484->485 485->475
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                                                                                                                • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                                                                                                                • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                                                                                                                • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                                                                                                                • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                                                                                                                • String ID: D
                                                                                                                                                                                • API String ID: 2098669666-2746444292
                                                                                                                                                                                • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                                                                                                • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                                                                                                • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                                                                                                • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00404000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 498 404000-404008 499 40400b-40402a CreateFileA 498->499 500 404057 499->500 501 40402c-404035 GetLastError 499->501 504 404059-40405c 500->504 502 404052 501->502 503 404037-40403a 501->503 506 404054-404056 502->506 503->502 505 40403c-40403f 503->505 504->506 505->504 507 404041-404050 Sleep 505->507 507->499 507->502
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                                                                                                                • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                                                                                                                • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateErrorFileLastSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 408151869-0
                                                                                                                                                                                • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                                                                                • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                                                                                                • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                                                                                • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                APIs
                                                                                                                                                                                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1209300637-0
                                                                                                                                                                                • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                                                                                • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                                                                                                • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                                                                                • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406E36 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 509 406e36-406e5d GetUserNameW 510 406ebe-406ec2 509->510 511 406e5f-406e95 LookupAccountNameW 509->511 511->510 512 406e97-406e9b 511->512 513 406ebb-406ebd 512->513 514 406e9d-406ea3 512->514 513->510 514->513 515 406ea5-406eaa 514->515 516 406eb7-406eb9 515->516 517 406eac-406eb0 515->517 516->510 517->513 518 406eb2-406eb5 517->518 518->513 518->516
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                                                                                                                • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Name$AccountLookupUser
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2370142434-0
                                                                                                                                                                                • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                                                                • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                                                                                                                • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                                                                • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0061D9CA Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 519 61d9ca-61d9e3 520 61d9e5-61d9e7 519->520 521 61d9e9 520->521 522 61d9ee-61d9fa CreateToolhelp32Snapshot 520->522 521->522 523 61da0a-61da17 Module32First 522->523 524 61d9fc-61da02 522->524 525 61da20-61da28 523->525 526 61da19-61da1a call 61d689 523->526 524->523 531 61da04-61da08 524->531 529 61da1f 526->529 529->525 531->520 531->523
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0061D9F2
                                                                                                                                                                                • Module32First.KERNEL32(00000000,00000224), ref: 0061DA12
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575910314.0000000000619000.00000040.00000020.00020000.00000000.sdmp, Offset: 00619000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_619000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3833638111-0
                                                                                                                                                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                • Instruction ID: 2c165b29db12cc72cb96234e6c17815ef3a6a7f4b68e92ed05a1c970f34fb709
                                                                                                                                                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                • Instruction Fuzzy Hash: 98F0F6311003146FD7207BF5E88DBEF72EABF49724F140628E642D11C0DB70EC854664
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00740E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 532 740e0f-740e24 SetErrorMode * 2 533 740e26 532->533 534 740e2b-740e2c 532->534 533->534
                                                                                                                                                                                APIs
                                                                                                                                                                                • SetErrorMode.KERNELBASE(00000400,?,?,00740223,?,?), ref: 00740E19
                                                                                                                                                                                • SetErrorMode.KERNELBASE(00000000,?,?,00740223,?,?), ref: 00740E1E
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorMode
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2340568224-0
                                                                                                                                                                                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                • Instruction ID: 0d95ee2dc00d02904126902d519ad7257b8297a6f4be405c0843031f0b165e47
                                                                                                                                                                                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                • Instruction Fuzzy Hash: 03D0123114512877D7003A94DC09BCD7B1CDF05B62F008411FB0DD9080C774994046E5
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 535 406dc2-406dd5 536 406e33-406e35 535->536 537 406dd7-406df1 call 406cc9 call 40ef00 535->537 542 406df4-406df9 537->542 542->542 543 406dfb-406e00 542->543 544 406e02-406e22 GetVolumeInformationA 543->544 545 406e24 543->545 544->545 546 406e2e 544->546 545->546 546->536
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                                                                                  • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                                                                                  • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                                                                                                  • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1823874839-0
                                                                                                                                                                                • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                                                                                • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                                                                                                • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                                                                                • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00409892 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 547 409892-4098c0 548 4098c2-4098c5 547->548 549 4098d9 547->549 548->549 550 4098c7-4098d7 548->550 551 4098e0-4098f1 SetServiceStatus 549->551 550->551
                                                                                                                                                                                APIs
                                                                                                                                                                                • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ServiceStatus
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3969395364-0
                                                                                                                                                                                • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                                                                                                • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                                                                                                                • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                                                                                                • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0061D689 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 552 61d689-61d6c3 call 61d99c 555 61d711 552->555 556 61d6c5-61d6f8 VirtualAlloc call 61d716 552->556 555->555 558 61d6fd-61d70f 556->558 558->555
                                                                                                                                                                                APIs
                                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0061D6DA
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575910314.0000000000619000.00000040.00000020.00020000.00000000.sdmp, Offset: 00619000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_619000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                • Instruction ID: 70d02c65c123443b32d183ec83923d1733279a1e7689d0158c2fb6a468728371
                                                                                                                                                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                • Instruction Fuzzy Hash: 3F113C79A00208EFDB01DF98C985E98BBF5AF08350F198094F9489B362D371EA90DF80
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004098F2 Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 559 4098f2-4098f4 560 4098f6-409902 call 404280 559->560 563 409904-409913 Sleep 560->563 564 409917 560->564 563->560 565 409915 563->565 566 409919-409942 call 402544 call 40977c 564->566 567 40995e-409960 564->567 565->564 571 409947-409957 call 40ee2a 566->571 571->567
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                                                                                                • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateEventSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3100162736-0
                                                                                                                                                                                • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                                                                                                                • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                                                                                                                • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                                                                                                                • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                Function 007465E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000), ref: 007465F6
                                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00746610
                                                                                                                                                                                • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00746631
                                                                                                                                                                                • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00746652
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1965334864-0
                                                                                                                                                                                • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                                                                                                • Instruction ID: 1015a6b8d4e37b405196035f5609910990c226b875a90b9d49e2c12596f30f20
                                                                                                                                                                                • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                                                                                                • Instruction Fuzzy Hash: 0F1173B1600218BFDB219F65EC4AF9B3FA8EB057A5F114024F908E7251DBB5DD1086A5
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00749EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00749E6D
                                                                                                                                                                                • lstrcpy.KERNEL32(?,00000000), ref: 00749FE1
                                                                                                                                                                                • lstrcat.KERNEL32(?,?), ref: 00749FF2
                                                                                                                                                                                • lstrcat.KERNEL32(?,0041070C), ref: 0074A004
                                                                                                                                                                                • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0074A054
                                                                                                                                                                                • DeleteFileA.KERNEL32(?), ref: 0074A09F
                                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0074A0D6
                                                                                                                                                                                • lstrcpy.KERNEL32 ref: 0074A12F
                                                                                                                                                                                • lstrlen.KERNEL32(00000022), ref: 0074A13C
                                                                                                                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 00749F13
                                                                                                                                                                                  • Part of subcall function 00747029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00747081
                                                                                                                                                                                  • Part of subcall function 00746F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\imehaowx,00747043), ref: 00746F4E
                                                                                                                                                                                  • Part of subcall function 00746F30: GetProcAddress.KERNEL32(00000000), ref: 00746F55
                                                                                                                                                                                  • Part of subcall function 00746F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00746F7B
                                                                                                                                                                                  • Part of subcall function 00746F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00746F92
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0074A1A2
                                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0074A1C5
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0074A214
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0074A21B
                                                                                                                                                                                • GetDriveTypeA.KERNEL32(?), ref: 0074A265
                                                                                                                                                                                • lstrcat.KERNEL32(?,00000000), ref: 0074A29F
                                                                                                                                                                                • lstrcat.KERNEL32(?,00410A34), ref: 0074A2C5
                                                                                                                                                                                • lstrcat.KERNEL32(?,00000022), ref: 0074A2D9
                                                                                                                                                                                • lstrcat.KERNEL32(?,00410A34), ref: 0074A2F4
                                                                                                                                                                                • wsprintfA.USER32 ref: 0074A31D
                                                                                                                                                                                • lstrcat.KERNEL32(?,00000000), ref: 0074A345
                                                                                                                                                                                • lstrcat.KERNEL32(?,?), ref: 0074A364
                                                                                                                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0074A387
                                                                                                                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0074A398
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0074A1D1
                                                                                                                                                                                  • Part of subcall function 00749966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0074999D
                                                                                                                                                                                  • Part of subcall function 00749966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 007499BD
                                                                                                                                                                                  • Part of subcall function 00749966: RegCloseKey.ADVAPI32(?), ref: 007499C6
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0074A3DB
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0074A3E2
                                                                                                                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 0074A41D
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                                                                                                • String ID: "$"$"$D$P$\
                                                                                                                                                                                • API String ID: 1653845638-2605685093
                                                                                                                                                                                • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                                                                                                • Instruction ID: d986b72bdb7d80835bec6d491fe8f363047ba8b792898e8006851d006c173c0c
                                                                                                                                                                                • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                                                                                                • Instruction Fuzzy Hash: BAF14DB1D40259FFDB21DFA08C49EEF7BBCAB09300F5440A6F609E2151E7798A858F65
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                                                                                                • API String ID: 2238633743-3228201535
                                                                                                                                                                                • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                                                                                • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                                                                                                • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                                                                                • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040B3B7
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                                                                                                • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                                                                                                • API String ID: 766114626-2976066047
                                                                                                                                                                                • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                                • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                                                                                                • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                                • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                                                                                                                • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                                                                                                • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                                                                                                • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                                                                                • String ID: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe$D
                                                                                                                                                                                • API String ID: 2976863881-2306690221
                                                                                                                                                                                • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                                                                                • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                                                                                                • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                                                                                • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00747CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00747D21
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00747D46
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00747D7D
                                                                                                                                                                                • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00747DA2
                                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00747DC0
                                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 00747DD1
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00747DE5
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00747DF3
                                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00747E03
                                                                                                                                                                                • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00747E12
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00747E19
                                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00747E35
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                                                                                • String ID: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe$D
                                                                                                                                                                                • API String ID: 2976863881-2306690221
                                                                                                                                                                                • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                                                                                                • Instruction ID: f8b34ed57ea39d59eb4b11cb1a3505c2aa00a1630071442f917a0eace9ad89b1
                                                                                                                                                                                • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                                                                                                • Instruction Fuzzy Hash: 0DA14B71900219EFDF11CFA0DD88FEEBBB9FB08300F14816AE615E6150DB798A85CB64
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                                                                                                • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                                                                                                • API String ID: 2400214276-165278494
                                                                                                                                                                                • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                                                                                                • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                                                                                                • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                                                                                                • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040A7FB
                                                                                                                                                                                • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                                                                                                • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040A8AF
                                                                                                                                                                                • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040A8E2
                                                                                                                                                                                • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040A9B9
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wsprintf$send$lstrlenrecv
                                                                                                                                                                                • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                                                                                                • API String ID: 3650048968-2394369944
                                                                                                                                                                                • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                                                                                                • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                                                                                                • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                                                                                                • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                                                                                                • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                                                                                • String ID: D
                                                                                                                                                                                • API String ID: 3722657555-2746444292
                                                                                                                                                                                • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                                • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                                                                                                • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                                • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00747A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00747A96
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00747ACD
                                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 00747ADF
                                                                                                                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00747B01
                                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00747B1F
                                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 00747B39
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00747B4A
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00747B58
                                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00747B68
                                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00747B77
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00747B7E
                                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00747B9A
                                                                                                                                                                                • GetAce.ADVAPI32(?,?,?), ref: 00747BCA
                                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 00747BF1
                                                                                                                                                                                • DeleteAce.ADVAPI32(?,?), ref: 00747C0A
                                                                                                                                                                                • EqualSid.ADVAPI32(?,?), ref: 00747C2C
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00747CB1
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00747CBF
                                                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00747CD0
                                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00747CE0
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 00747CEE
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                                                                                • String ID: D
                                                                                                                                                                                • API String ID: 3722657555-2746444292
                                                                                                                                                                                • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                                • Instruction ID: 6d5ce4fc84ce9974c9853f1ebcb556059f1cc5513be25013d457977b87ecc2c6
                                                                                                                                                                                • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                                                                • Instruction Fuzzy Hash: 7C815B71904219AFDB25CFA4DD88FEEBBBCEF08304F04806AE505E6150E7799A41CBA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                                                                                                • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                                                                                                • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Value$CloseOpenQuery
                                                                                                                                                                                • String ID: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe$localcfg
                                                                                                                                                                                • API String ID: 237177642-4107672054
                                                                                                                                                                                • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                                                                                                                • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                                                                                                • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                                                                                                                • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402A62 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 194networkmemoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7612F620), ref: 00402A83
                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,7612F620), ref: 00402A86
                                                                                                                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                                                                                                • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                                                                                                • select.WS2_32 ref: 00402B28
                                                                                                                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                                                                                                • htons.WS2_32(?), ref: 00402B71
                                                                                                                                                                                • htons.WS2_32(?), ref: 00402B8C
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                                                                                                • String ID: ]Vw`'Vw
                                                                                                                                                                                • API String ID: 1639031587-147723481
                                                                                                                                                                                • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                                                                                                • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                                                                                                • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                                                                                                • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00401280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                                                                                                • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ExecuteShelllstrlen
                                                                                                                                                                                • String ID: $%systemroot%\system32\cmd.exe$<$@$@EJv$D$uac$useless$wusa.exe
                                                                                                                                                                                • API String ID: 1628651668-3954050976
                                                                                                                                                                                • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                                                                                                • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                                                                                                • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                                                                                                • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040199C Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 106memorylibraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                                                                                                • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                                                                                                • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                                                                                                • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                                                                                                • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg$]Vw`'Vw
                                                                                                                                                                                • API String ID: 835516345-2743630432
                                                                                                                                                                                • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                                                                                • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                                                                                                • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                                                                                • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                                                                                                • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                                                                                                  • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                                                                                • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                                                                                                • API String ID: 4207808166-1381319158
                                                                                                                                                                                • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                                                                                                • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                                                                                                                • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                                                                                                • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0074865A
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0074867B
                                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 007486A8
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 007486B1
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Value$CloseOpenQuery
                                                                                                                                                                                • String ID: "$C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe
                                                                                                                                                                                • API String ID: 237177642-2344421956
                                                                                                                                                                                • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                                                                                                • Instruction ID: 355089f920a2aef7cc216b93c229489c2b79bb82e6c03665f61512eb923c60e7
                                                                                                                                                                                • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                                                                                                • Instruction Fuzzy Hash: 7DC1907190024DFEEB51ABA4DD89EFF7BBCEB05300F144076F604E6051EBB84A949B66
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007414E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 00741601
                                                                                                                                                                                • lstrlenW.KERNEL32(-00000003), ref: 007417D8
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ExecuteShelllstrlen
                                                                                                                                                                                • String ID: $<$@$D
                                                                                                                                                                                • API String ID: 1628651668-1974347203
                                                                                                                                                                                • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                                                                                                • Instruction ID: b779b260d34a436f15c1bcca5e9103bd6dc3a1d58177830f69769b573dcb701c
                                                                                                                                                                                • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                                                                                                • Instruction Fuzzy Hash: B3F18EB15083819FD720EF64C888BABB7E4FB89304F50892DF595D7290D7B8E984CB56
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402DF2 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 97memorylibrarynetworkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll,76132640,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                                                                                                • htons.WS2_32(00000035), ref: 00402E88
                                                                                                                                                                                • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                                                                                                • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                                                                                                • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                                                                                • String ID: GetNetworkParams$iphlpapi.dll$]Vw`'Vw
                                                                                                                                                                                • API String ID: 929413710-3538517857
                                                                                                                                                                                • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                                                                                • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                                                                                                • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                                                                                • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00747666 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007476D9
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00747757
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0074778F
                                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 007478B4
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0074794E
                                                                                                                                                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0074796D
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0074797E
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 007479AC
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00747A56
                                                                                                                                                                                  • Part of subcall function 0074F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,0074772A,?), ref: 0074F414
                                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 007479F6
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00747A4D
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                                                                                • String ID: "
                                                                                                                                                                                • API String ID: 3433985886-123907689
                                                                                                                                                                                • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                                                                                                • Instruction ID: dcc47306138f02559c9c51e1ba2d735cb8d8f49f90aa56220ec59c865973cc3e
                                                                                                                                                                                • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                                                                                                • Instruction Fuzzy Hash: A3C1A072904209EFEB259FA4DC49FEE7BB9EF45310F2040A5F504E6191EB799E84CB60
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,761311B0,?,761311B0,00000000), ref: 004070C2
                                                                                                                                                                                • RegEnumValueA.ADVAPI32(761311B0,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,761311B0,00000000), ref: 0040719E
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0,?,761311B0,00000000), ref: 004071B2
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 00407208
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 00407291
                                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 004072D0
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 00407314
                                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 004073D8
                                                                                                                                                                                  • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                                                                                                • String ID: $"
                                                                                                                                                                                • API String ID: 4293430545-3817095088
                                                                                                                                                                                • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                                                                                                • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                                                                                                • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                                                                                                • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00742CC9 Relevance: 21.2, APIs: 14, Instructions: 194memorynetworkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 00742CED
                                                                                                                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 00742D07
                                                                                                                                                                                • htons.WS2_32(00000000), ref: 00742D42
                                                                                                                                                                                • select.WS2_32 ref: 00742D8F
                                                                                                                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 00742DB1
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00742E62
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 127016686-0
                                                                                                                                                                                • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                                                                                                • Instruction ID: 97dd1b67a814434a3686414e53eded37f4486729584d9aedd3ed5dff16ec5b2b
                                                                                                                                                                                • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                                                                                                • Instruction Fuzzy Hash: 6061F171904315ABC3209F61CC0CBABBBF8FF88341F954819F98497152D7B8D896CBA6
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                                                                                                  • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                                                                                  • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                                                                                  • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                                                                                  • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                                                                                  • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                                                                                                  • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040AEA5
                                                                                                                                                                                  • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040AE4F
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040AE5E
                                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                                                                                • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                                                                                                • API String ID: 3631595830-1816598006
                                                                                                                                                                                • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                                                                                                • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                                                                                                • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                                                                                                • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,761311B0,00000000), ref: 0040677E
                                                                                                                                                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,761311B0,00000000), ref: 0040679A
                                                                                                                                                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,761311B0,00000000), ref: 004067B0
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,761311B0,00000000), ref: 004067BF
                                                                                                                                                                                • GetFileSize.KERNEL32(000000FF,00000000,?,761311B0,00000000), ref: 004067D3
                                                                                                                                                                                • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,761311B0,00000000), ref: 00406807
                                                                                                                                                                                • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,761311B0,00000000), ref: 0040681F
                                                                                                                                                                                • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,761311B0,00000000), ref: 0040683E
                                                                                                                                                                                • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,761311B0,00000000), ref: 0040685C
                                                                                                                                                                                • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,761311B0,00000000), ref: 0040688B
                                                                                                                                                                                • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,761311B0,00000000), ref: 00406906
                                                                                                                                                                                • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,761311B0,00000000), ref: 0040691C
                                                                                                                                                                                • CloseHandle.KERNEL32(000000FF,?,761311B0,00000000), ref: 00406971
                                                                                                                                                                                  • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                                                                                  • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2622201749-0
                                                                                                                                                                                • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                                                                                • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                                                                                                • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                                                                                • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00409326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                                                                                                • wsprintfA.USER32 ref: 004093CE
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040940C
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040948D
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                                                                                • String ID: runas
                                                                                                                                                                                • API String ID: 3696105349-4000483414
                                                                                                                                                                                • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                                                                                                • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                                                                                                                • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                                                                                                • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • wsprintfA.USER32 ref: 0040B467
                                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$wsprintf
                                                                                                                                                                                • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                                                                                                • API String ID: 1220175532-2340906255
                                                                                                                                                                                • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                                                                                • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                                                                                                • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                                                                                • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00741FFD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 205libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetVersionExA.KERNEL32 ref: 0074202D
                                                                                                                                                                                • GetSystemInfo.KERNEL32(?), ref: 0074204F
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0074206A
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00742071
                                                                                                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00742082
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00742230
                                                                                                                                                                                  • Part of subcall function 00741E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00741E7C
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                                                                                • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                                                                                                                • API String ID: 4207808166-1391650218
                                                                                                                                                                                • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                                                                                                • Instruction ID: 198f0d33f0d59ab4e133cd479612102028f22039550b4ff87ac6f57e3c69f9c3
                                                                                                                                                                                • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                                                                                                • Instruction Fuzzy Hash: 7651B0B0900348AFE330AF758C8AF67BAECFB54704F40492DF99682143D7BDA9958765
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00402078
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00402132
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00402142
                                                                                                                                                                                  • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7558EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                                                                                                                  • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7558EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                                                                                                                  • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                                                                                                  • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                                                                                                  • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                                                                                                • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                                                                                                • API String ID: 3976553417-1522128867
                                                                                                                                                                                • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                                                                                • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                                                                                                • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                                                                                • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: closesockethtonssocket
                                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                                • API String ID: 311057483-2401304539
                                                                                                                                                                                • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                                                                                                • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                                                                                                • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                                                                                                • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00404121
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateEventExitProcess
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2404124870-0
                                                                                                                                                                                • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                                                                                                • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                                                                                                                • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                                                                                                • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                                                                                  • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                                                                                                • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 1553760989-1857712256
                                                                                                                                                                                • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                                                                                • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                                                                                                • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                                                                                • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00743059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00743068
                                                                                                                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00743078
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00410408), ref: 00743095
                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 007430B6
                                                                                                                                                                                • htons.WS2_32(00000035), ref: 007430EF
                                                                                                                                                                                • inet_addr.WS2_32(?), ref: 007430FA
                                                                                                                                                                                • gethostbyname.WS2_32(?), ref: 0074310D
                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 0074314D
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                                                                                • String ID: iphlpapi.dll
                                                                                                                                                                                • API String ID: 2869546040-3565520932
                                                                                                                                                                                • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                                                                                                • Instruction ID: 864b56fa5fe5af2282559075a2eb445ef3748741aa7779e45a6fb218e4da7d90
                                                                                                                                                                                • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                                                                                                • Instruction Fuzzy Hash: 97319A31A0060AABDF119BB89C48AAE7778EF04761F144225F51CE7290DB7CDF41CB54
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402D21 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85memorylibrarystringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,76132640,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                                                                                                • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                                                                                • String ID: DnsQuery_A$dnsapi.dll$]Vw`'Vw
                                                                                                                                                                                • API String ID: 3560063639-312264031
                                                                                                                                                                                • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                                                                                                • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                                                                                                • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                                                                                                • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074958D Relevance: 15.3, APIs: 10, Instructions: 284registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetVersionExA.KERNEL32(?), ref: 007495A7
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007495D5
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 007495DC
                                                                                                                                                                                • wsprintfA.USER32 ref: 00749635
                                                                                                                                                                                • wsprintfA.USER32 ref: 00749673
                                                                                                                                                                                • wsprintfA.USER32 ref: 007496F4
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00749758
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0074978D
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 007497D8
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3696105349-0
                                                                                                                                                                                • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                                                                                                • Instruction ID: ae6d1a74b350a94d5b8a397cbe4073c44ee22f232896630728f40eee73421cac
                                                                                                                                                                                • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                                                                                                • Instruction Fuzzy Hash: D7A16BB1940208EBEB21DFA0CC49FDB3BACEB45741F204026FA1596152E7B9D984CBA5
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcmpi
                                                                                                                                                                                • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                                                                                                • API String ID: 1586166983-1625972887
                                                                                                                                                                                • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                                                                                                • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                                                                                                • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                                                                                                • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76128A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                                                                                                • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3188212458-0
                                                                                                                                                                                • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                                • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                                                                                                                • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                                • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00746778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 007467C3
                                                                                                                                                                                • htonl.WS2_32(?), ref: 007467DF
                                                                                                                                                                                • htonl.WS2_32(?), ref: 007467EE
                                                                                                                                                                                • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 007468F1
                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 007469BC
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Processhtonl$CurrentExitHugeRead
                                                                                                                                                                                • String ID: except_info$localcfg
                                                                                                                                                                                • API String ID: 1150517154-3605449297
                                                                                                                                                                                • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                                                                                                • Instruction ID: 56d2a40df6b4aad73c63c38996c659fe959fb88f387219c4e4e877d0628ec318
                                                                                                                                                                                • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                                                                                                • Instruction Fuzzy Hash: 1D615F71940208EFDB609FA4DC45FEA77E9FB09300F14806AF96DD2161DBB5A9908F54
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074F57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • htons.WS2_32(0074CC84), ref: 0074F5B4
                                                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0074F5CE
                                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 0074F5DC
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: closesockethtonssocket
                                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                                • API String ID: 311057483-2401304539
                                                                                                                                                                                • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                                                                                                • Instruction ID: f6a2ddb5b5a291d4193c385a1d9cdcb4203fb2485dcab6c1f4c81871e425f971
                                                                                                                                                                                • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                                                                                                • Instruction Fuzzy Hash: 24317872901118ABDB10DFA9DC89DEFBBBCEF88310F11456AF915E3150E7748A818BA5
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                                                                                                • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                                                                                                • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                                                                                                • wsprintfA.USER32 ref: 00407036
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                                                                                                • String ID: /%d$|
                                                                                                                                                                                • API String ID: 676856371-4124749705
                                                                                                                                                                                • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                                                                                                • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                                                                                                • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                                                                                                • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00742F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(?), ref: 00742FA1
                                                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00742FB1
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00742FC8
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00743000
                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 00743007
                                                                                                                                                                                • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00743032
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                                                                                • String ID: dnsapi.dll
                                                                                                                                                                                • API String ID: 1242400761-3175542204
                                                                                                                                                                                • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                                                                                                • Instruction ID: 450330b5ad563baddef2fceec9a9b61318ff3c8c145422806621fa57b8df3b03
                                                                                                                                                                                • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                                                                                                • Instruction Fuzzy Hash: B221C171940229BBCB219B95DC48AEEBBBDEF08B10F404421F905E3150D7B89E8587E0
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                                                                                • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                                                                                                • API String ID: 1082366364-3395550214
                                                                                                                                                                                • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                                                                                                • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                                                                                                • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                                                                                                • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007499E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00749A18
                                                                                                                                                                                • GetThreadContext.KERNEL32(?,?), ref: 00749A52
                                                                                                                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 00749A60
                                                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00749A98
                                                                                                                                                                                • SetThreadContext.KERNEL32(?,00010002), ref: 00749AB5
                                                                                                                                                                                • ResumeThread.KERNEL32(?), ref: 00749AC2
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                                                                                • String ID: D
                                                                                                                                                                                • API String ID: 2981417381-2746444292
                                                                                                                                                                                • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                                                                                                • Instruction ID: 9d6b62081588d00201d640c3d129d79b9d8a06d6a0fb29ba6d5aa87621164ac0
                                                                                                                                                                                • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                                                                                                • Instruction Fuzzy Hash: E9213BB1A01219BBDB11DBA1DC09EEFBBBCEF05750F408061FA19E1150E7798A44CBA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00741C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • inet_addr.WS2_32(004102D8), ref: 00741C18
                                                                                                                                                                                • LoadLibraryA.KERNEL32(004102C8), ref: 00741C26
                                                                                                                                                                                • GetProcessHeap.KERNEL32 ref: 00741C84
                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00741C9D
                                                                                                                                                                                • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00741CC1
                                                                                                                                                                                • HeapFree.KERNEL32(?,00000000,00000000), ref: 00741D02
                                                                                                                                                                                • FreeLibrary.KERNEL32(?), ref: 00741D0B
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2324436984-0
                                                                                                                                                                                • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                                                                                                • Instruction ID: 5fa7d3c7aff946033c0c49fc085b765df152c9afc4c19583a06074b4e51db22a
                                                                                                                                                                                • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                                                                                                • Instruction Fuzzy Hash: 97314F71E00219FFCB11AFE4DD888FEBBB9EB45711B64447AE505A2110D7B94EC0DBA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402923 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: ]Vw`'Vw
                                                                                                                                                                                • API String ID: 0-147723481
                                                                                                                                                                                • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                                                                                                • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                                                                                                • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                                                                                                • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00746CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00746CE4
                                                                                                                                                                                • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00746D22
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00746DA7
                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00746DB5
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00746DD6
                                                                                                                                                                                • DeleteFileA.KERNEL32(?), ref: 00746DE7
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00746DFD
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3873183294-0
                                                                                                                                                                                • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                                • Instruction ID: ce0cdec72c218be419ce2d37e57b0b6d1f86778aa247fafa450894609603c039
                                                                                                                                                                                • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                                                                                                • Instruction Fuzzy Hash: 6F31BD76E00249FFCF01AFA4DD48ADE7FB9EB4A310F148066E251E3251D7748A958F62
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00746F30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\imehaowx,00747043), ref: 00746F4E
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00746F55
                                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00746F7B
                                                                                                                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00746F92
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                                                                                • String ID: C:\Windows\SysWOW64\$\\.\pipe\imehaowx
                                                                                                                                                                                • API String ID: 1082366364-2204482974
                                                                                                                                                                                • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                                                                                                • Instruction ID: 7d6cb92cb9b5bb9565179f88736f21de2e78f07f11fe95e4294d6cce5a01c62c
                                                                                                                                                                                • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                                                                                                • Instruction Fuzzy Hash: E6210521745344BAF7225331AC8DFFB2E4C8B53721F1840A5F544E64A2DBDD88DAC2AE
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074AA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen
                                                                                                                                                                                • String ID: $localcfg
                                                                                                                                                                                • API String ID: 1659193697-2018645984
                                                                                                                                                                                • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                                                                                                • Instruction ID: 52f434c64c9b9c3270739fbb5144e6cf5e7d23f5037b002a10bdae966abe0009
                                                                                                                                                                                • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                                                                                                • Instruction Fuzzy Hash: 227129B1FC4308BAEF218B54DCC6FEE3769EB01705F244026F905A6091DB6E9D848B67
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                                                                  • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                                                                                                                • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                                                                                                • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                                                                                                • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                                                                                                • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                                                                                                • String ID: flags_upd$localcfg
                                                                                                                                                                                • API String ID: 204374128-3505511081
                                                                                                                                                                                • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                                                                                                • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                                                                                                • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                                                                                                • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074E8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 0074DF6C: GetCurrentThreadId.KERNEL32 ref: 0074DFBA
                                                                                                                                                                                • lstrcmp.KERNEL32(00410178,00000000), ref: 0074E8FA
                                                                                                                                                                                • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00746128), ref: 0074E950
                                                                                                                                                                                • lstrcmp.KERNEL32(?,00000008), ref: 0074E989
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                                                                                                • String ID: A$ A$ A
                                                                                                                                                                                • API String ID: 2920362961-1846390581
                                                                                                                                                                                • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                                                                                                • Instruction ID: 4184892cc4629e26c79c73dd90967e87b5a00d68d601dba0f994c8b258f07060
                                                                                                                                                                                • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                                                                                                • Instruction Fuzzy Hash: 0E317E31600715EBDF718F24C888BA67BE8FB15731F10892AE59687591D378FC84CB92
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Code
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3609698214-0
                                                                                                                                                                                • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                                                                                • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                                                                                                • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                                                                                • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00746E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Code
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3609698214-0
                                                                                                                                                                                • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                                                                                                • Instruction ID: 7e862f71146ab3dbc8b46b0d3f69da226e992cecf6d8899443596fcbb73a8df2
                                                                                                                                                                                • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                                                                                                • Instruction Fuzzy Hash: A4214D76504125FFEB109B70FC49EDF3FEDEB4A760B208425F502D1091EB799A409675
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00409064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                                                                                                • wsprintfA.USER32 ref: 004090E9
                                                                                                                                                                                • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                                                                                • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2439722600-0
                                                                                                                                                                                • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                                                                                                • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                                                                                                • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                                                                                                • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007492CB Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTempPathA.KERNEL32(00000400,?), ref: 007492E2
                                                                                                                                                                                • wsprintfA.USER32 ref: 00749350
                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00749375
                                                                                                                                                                                • lstrlen.KERNEL32(?,?,00000000), ref: 00749389
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000000), ref: 00749394
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0074939B
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2439722600-0
                                                                                                                                                                                • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                                                                                                • Instruction ID: 5f7f354fc97b7a13501a8a7e0c6cc6d804e5faef1ee494a97efc8631acc521c7
                                                                                                                                                                                • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                                                                                                • Instruction Fuzzy Hash: 9D1196B1740114BBE7606B31EC0EFEF3A6DDBC9B10F00C065BB09E5091EFB84A558664
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,761311B0,?,00000000,0040E538,?,761311B0,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                                                                                                • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3819781495-0
                                                                                                                                                                                • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                                                                                • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                                                                                                • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                                                                                • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074C543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0074C6B4
                                                                                                                                                                                • InterlockedIncrement.KERNEL32(0074C74B), ref: 0074C715
                                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0074C747), ref: 0074C728
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,0074C747,00413588,00748A77), ref: 0074C733
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 1026198776-1857712256
                                                                                                                                                                                • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                                                                                                • Instruction ID: 27ecf7a9895b7f5e0d05ef4024b614188c6c7862e9cae8d0978497e1842a53fb
                                                                                                                                                                                • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                                                                                                • Instruction Fuzzy Hash: 5B514BB1A02B418FD7659F29C5C552AFBE9FB48300B61593EE18BC7AA0D778F840CB11
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,761311B0,00000000), ref: 0040815F
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,761311B0,00000000), ref: 00408187
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,761311B0,00000000), ref: 004081BE
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,761311B0,00000000), ref: 00408210
                                                                                                                                                                                  • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,761311B0,00000000), ref: 0040677E
                                                                                                                                                                                  • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,761311B0,00000000), ref: 0040679A
                                                                                                                                                                                  • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,761311B0,00000000), ref: 004067B0
                                                                                                                                                                                  • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,761311B0,00000000), ref: 004067BF
                                                                                                                                                                                  • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,761311B0,00000000), ref: 004067D3
                                                                                                                                                                                  • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,761311B0,00000000), ref: 00406807
                                                                                                                                                                                  • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,761311B0,00000000), ref: 0040681F
                                                                                                                                                                                  • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,761311B0,00000000), ref: 0040683E
                                                                                                                                                                                  • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,761311B0,00000000), ref: 0040685C
                                                                                                                                                                                  • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                                                                                  • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                                                                                                • String ID: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe
                                                                                                                                                                                • API String ID: 124786226-3552900515
                                                                                                                                                                                • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                                                                                                                • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                                                                                                • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                                                                                                                • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074E2FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegCreateKeyExA.ADVAPI32(80000001,0074E50A,00000000,00000000,00000000,00020106,00000000,0074E50A,00000000,000000E4), ref: 0074E319
                                                                                                                                                                                • RegSetValueExA.ADVAPI32(0074E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0074E38E
                                                                                                                                                                                • RegDeleteValueA.ADVAPI32(0074E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dt), ref: 0074E3BF
                                                                                                                                                                                • RegCloseKey.ADVAPI32(0074E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dt,0074E50A), ref: 0074E3C8
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Value$CloseCreateDelete
                                                                                                                                                                                • String ID: Dt
                                                                                                                                                                                • API String ID: 2667537340-659336120
                                                                                                                                                                                • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                                                                                                • Instruction ID: 1adb0634de8ea2fb60c19c2f6943b1803670e00a5ac758984722de7196f2a9f4
                                                                                                                                                                                • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                                                                                                • Instruction Fuzzy Hash: 7B214A71A0021DABDF219FA4EC89EEE7F79EF08760F008061F904A6161E7718A54D7A0
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007471C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 007471E1
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00747228
                                                                                                                                                                                • LocalFree.KERNEL32(?,?,?), ref: 00747286
                                                                                                                                                                                • wsprintfA.USER32 ref: 0074729D
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                                                                                                • String ID: |
                                                                                                                                                                                • API String ID: 2539190677-2343686810
                                                                                                                                                                                • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                                                                                                • Instruction ID: 4e0ac2281bfdcf3eeffacd8172dc54d93a9318ec5f4f278f2d99d197afbcf7c6
                                                                                                                                                                                • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                                                                                                • Instruction Fuzzy Hash: 65311C72904108BBDB01DFA4DC49ADA7BBCEF04354F148166F959DB101EB79D648CB94
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                                                                                • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$gethostnamelstrcpy
                                                                                                                                                                                • String ID: LocalHost
                                                                                                                                                                                • API String ID: 3695455745-3154191806
                                                                                                                                                                                • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                                                                                • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                                                                                                • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                                                                                • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040E3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                                                                                                • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: QueryValue$CloseOpen
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1586453840-0
                                                                                                                                                                                • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                                                                                                • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                                                                                                • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                                                                                                • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074B478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 0074B51A
                                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0074B529
                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0074B548
                                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 0074B590
                                                                                                                                                                                • wsprintfA.USER32 ref: 0074B61E
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4026320513-0
                                                                                                                                                                                • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                                • Instruction ID: 5a483ba9c181d32b59ec1d4d3e8be2a0a6ecab30b81a7d404f6ff0012d9b56a2
                                                                                                                                                                                • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                                                                • Instruction Fuzzy Hash: 445110B1D0021CAACF14DFD5D8895EEFBB9BF48304F10816AF505A6150E7B88AC9CF98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00404280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                                                                                                • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                                                                                                • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle$CreateEvent
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1371578007-0
                                                                                                                                                                                • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                                                                                • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                                                                                                • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                                                                                • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                                                                                                                • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                                                                                                • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Read$AddressLibraryLoadProc
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2438460464-0
                                                                                                                                                                                • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                                                                                • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                                                                                                • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                                                                                • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007462D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00746303
                                                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 0074632A
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 007463B1
                                                                                                                                                                                • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00746405
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: HugeRead$AddressLibraryLoadProc
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3498078134-0
                                                                                                                                                                                • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                                                                                                • Instruction ID: 5d9c18f314b851374638d268d507b3f30a3966ad971af20d6f66721eb79b006e
                                                                                                                                                                                • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                                                                                                • Instruction Fuzzy Hash: 76418BB1A00259EFDB14CF98C884BA9B7B8FF06314F288079E915D7290E778EE40CB51
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                                                                • lstrcmpA.KERNEL32(761311B8,00000000,?,761311B0,00000000,?,00405EC1), ref: 0040E693
                                                                                                                                                                                • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,761311B0,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                                                                                                • lstrcmpA.KERNEL32(?,00000008,?,761311B0,00000000,?,00405EC1), ref: 0040E722
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                                                                                                • String ID: A$ A
                                                                                                                                                                                • API String ID: 3343386518-686259309
                                                                                                                                                                                • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                                                                                • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                                                                                                • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                                                                                • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                                                                                                • htons.WS2_32(00000001), ref: 00402752
                                                                                                                                                                                • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                                                                                                • htons.WS2_32(00000001), ref: 004027E3
                                                                                                                                                                                • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                                                                                                  • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                                                                                                  • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1802437671-0
                                                                                                                                                                                • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                                                                                                • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                                                                                                • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                                                                                                • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                                                                                                • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                                                                                                • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: setsockopt
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3981526788-0
                                                                                                                                                                                • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                                                                                • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                                                                                                • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                                                                                • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00409145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                                                                                                • CharToOemA.USER32(?,?), ref: 00409174
                                                                                                                                                                                • wsprintfA.USER32 ref: 004091A9
                                                                                                                                                                                  • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                                                                                                  • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                                                                                                  • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                                                                                  • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                                                                                  • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                                                                                  • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3857584221-0
                                                                                                                                                                                • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                                                                                                • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                                                                                                • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                                                                                                • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007493AC Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007493C6
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 007493CD
                                                                                                                                                                                • CharToOemA.USER32(?,?), ref: 007493DB
                                                                                                                                                                                • wsprintfA.USER32 ref: 00749410
                                                                                                                                                                                  • Part of subcall function 007492CB: GetTempPathA.KERNEL32(00000400,?), ref: 007492E2
                                                                                                                                                                                  • Part of subcall function 007492CB: wsprintfA.USER32 ref: 00749350
                                                                                                                                                                                  • Part of subcall function 007492CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00749375
                                                                                                                                                                                  • Part of subcall function 007492CB: lstrlen.KERNEL32(?,?,00000000), ref: 00749389
                                                                                                                                                                                  • Part of subcall function 007492CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00749394
                                                                                                                                                                                  • Part of subcall function 007492CB: CloseHandle.KERNEL32(00000000), ref: 0074939B
                                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00749448
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3857584221-0
                                                                                                                                                                                • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                                                                                                • Instruction ID: 5b0afed918e05817027b93285f97f35c5544dbc408577a5be77044217c42c8d7
                                                                                                                                                                                • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                                                                                                • Instruction Fuzzy Hash: 0C0140F6940158BBD721A7619D4DEDF367CDB95701F0040A1BB49E2080DBB896C58F75
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                                                                                                • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                                                                                                                • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$lstrcmpi
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 1808961391-1857712256
                                                                                                                                                                                • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                                                                                • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                                                                                                • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                                                                                • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                                                • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                                                                                                • API String ID: 2574300362-1087626847
                                                                                                                                                                                • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                                                                                • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                                                                                                • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                                                                                • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                                                                  • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                                                                                • String ID: hi_id$localcfg
                                                                                                                                                                                • API String ID: 2777991786-2393279970
                                                                                                                                                                                • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                                                                                • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                                                                                                • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                                                                                • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                                                                                                • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                • String ID: *p@
                                                                                                                                                                                • API String ID: 3429775523-2474123842
                                                                                                                                                                                • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                                                                                • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                                                                                                • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                                                                                • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007428EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: gethostbynameinet_addr
                                                                                                                                                                                • String ID: time_cfg$u6A
                                                                                                                                                                                • API String ID: 1594361348-1940331995
                                                                                                                                                                                • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                                • Instruction ID: 23370dd8c60b69d6c34cfbdf1cb7a4bb7d0b182411274f3a34a596063c270ce9
                                                                                                                                                                                • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                                • Instruction Fuzzy Hash: 3EE0C2306041118FDB008B2CF848AD937E8EF0A330F4181C0F040D31A1C738DCC29744
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007469C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080), ref: 007469E5
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002), ref: 00746A26
                                                                                                                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 00746A3A
                                                                                                                                                                                • CloseHandle.KERNEL32(000000FF), ref: 00746BD8
                                                                                                                                                                                  • Part of subcall function 0074EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00741DCF,?), ref: 0074EEA8
                                                                                                                                                                                  • Part of subcall function 0074EE95: HeapFree.KERNEL32(00000000), ref: 0074EEAF
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3384756699-0
                                                                                                                                                                                • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                                                                                                • Instruction ID: 70b153c39bcc3250b292f3387199e545d0676331704becc08bc279525286ee4e
                                                                                                                                                                                • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                                                                                                • Instruction Fuzzy Hash: 5A7128B190021DEFDF10DFA4CC849EEBBB9FB05314F20856AE525E6190D7349E92DB50
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wsprintf
                                                                                                                                                                                • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                                                                                                • API String ID: 2111968516-120809033
                                                                                                                                                                                • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                                                                                • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                                                                                                • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                                                                                • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040E095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                                                                                                • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                                                                                                                • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                                                                                                                • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Value$CloseCreateDelete
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2667537340-0
                                                                                                                                                                                • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                                                                                                • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                                                                                                • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                                                                                                • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3373104450-0
                                                                                                                                                                                • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                                • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                                                                                                • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                                • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 888215731-0
                                                                                                                                                                                • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                                • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                                                                                                • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                                • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 007441AB
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 007441B5
                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 007441C6
                                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 007441D9
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3373104450-0
                                                                                                                                                                                • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                                • Instruction ID: c29e354f7fe9fe5c24e93d1d96e7dab8dc0b6d8d51ba243aa0c1ef1d396c8d3d
                                                                                                                                                                                • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                                                                • Instruction Fuzzy Hash: 2901A57691110EABDF01DF91ED84BEE7BACEB18355F108061F901E2050D7749AA49BBA
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 007441F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0074421F
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00744229
                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 0074423A
                                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0074424D
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 888215731-0
                                                                                                                                                                                • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                                • Instruction ID: 1473bd6191cc85010d6ffbb92c8b1d25d71cefb7fd08400c5da6d219f8b44a70
                                                                                                                                                                                • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                                                                • Instruction Fuzzy Hash: 2401A272911209ABDF01DF90EE84BEF7BACFB08356F108461F901E2050D7B4AA549BB6
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074E036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • lstrcmp.KERNEL32(?,80000009), ref: 0074E066
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcmp
                                                                                                                                                                                • String ID: A$ A$ A
                                                                                                                                                                                • API String ID: 1534048567-1846390581
                                                                                                                                                                                • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                                                                                                • Instruction ID: 8aaa5b77b89296526ad358b4c1df79fe0c8e6d6a5fa967e5a3783b1d9fa9c5bf
                                                                                                                                                                                • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                                                                                                • Instruction Fuzzy Hash: 09F062312007029BCB20CF65D884A92B7E9FB05331B64862BE164C3070D3B8A898CB51
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                                • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                                                                                • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                                                                                                • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                                                                                • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                                                                                                • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                                • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                                                                                • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                                                                                                • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                                                                                • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                                                                                                • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                                • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                                                                                • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                                                                                                • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                                                                                • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 00403103
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                                • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                                                                                • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                                                                                                • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                                                                                • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074E3DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • WriteFile.KERNEL32(00000001,Dt,00000000,00000000,00000000), ref: 0074E470
                                                                                                                                                                                • CloseHandle.KERNEL32(00000001,00000003), ref: 0074E484
                                                                                                                                                                                  • Part of subcall function 0074E2FC: RegCreateKeyExA.ADVAPI32(80000001,0074E50A,00000000,00000000,00000000,00020106,00000000,0074E50A,00000000,000000E4), ref: 0074E319
                                                                                                                                                                                  • Part of subcall function 0074E2FC: RegSetValueExA.ADVAPI32(0074E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0074E38E
                                                                                                                                                                                  • Part of subcall function 0074E2FC: RegDeleteValueA.ADVAPI32(0074E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dt), ref: 0074E3BF
                                                                                                                                                                                  • Part of subcall function 0074E2FC: RegCloseKey.ADVAPI32(0074E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dt,0074E50A), ref: 0074E3C8
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                                                                                                • String ID: Dt
                                                                                                                                                                                • API String ID: 4151426672-659336120
                                                                                                                                                                                • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                                                                                                • Instruction ID: ba14b2dad52c724a3cc9ffda283e92c49a52d42b03440a39f38ac6dc6695b3e6
                                                                                                                                                                                • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                                                                                                • Instruction Fuzzy Hash: 3641C975D00214FAEB206F558C4AFEB3B6CFF04734F548075FA0994092E7B98A60D6B5
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00748330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 007483C6
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00748477
                                                                                                                                                                                  • Part of subcall function 007469C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 007469E5
                                                                                                                                                                                  • Part of subcall function 007469C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00746A26
                                                                                                                                                                                  • Part of subcall function 007469C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00746A3A
                                                                                                                                                                                  • Part of subcall function 0074EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00741DCF,?), ref: 0074EEA8
                                                                                                                                                                                  • Part of subcall function 0074EE95: HeapFree.KERNEL32(00000000), ref: 0074EEAF
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                                                                                                • String ID: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe
                                                                                                                                                                                • API String ID: 359188348-3552900515
                                                                                                                                                                                • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                                                                                                • Instruction ID: f52b0a36ead8e8df21503e5bfe4aeeebc75ebe385756fb450ae31b20b00dda67
                                                                                                                                                                                • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                                                                                                • Instruction Fuzzy Hash: 7E4160B290015DBFEB50AFA89D85EFF776CEB04340F144466F604E6011EBB85A948B66
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074AFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 0074AFFF
                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0074B00D
                                                                                                                                                                                  • Part of subcall function 0074AF6F: gethostname.WS2_32(?,00000080), ref: 0074AF83
                                                                                                                                                                                  • Part of subcall function 0074AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0074AFE6
                                                                                                                                                                                  • Part of subcall function 0074331C: gethostname.WS2_32(?,00000080), ref: 0074333F
                                                                                                                                                                                  • Part of subcall function 0074331C: gethostbyname.WS2_32(?), ref: 00743349
                                                                                                                                                                                  • Part of subcall function 0074AA0A: inet_ntoa.WS2_32(00000000), ref: 0074AA10
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                                                                                • String ID: %OUTLOOK_BND_
                                                                                                                                                                                • API String ID: 1981676241-3684217054
                                                                                                                                                                                • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                                                                                                • Instruction ID: 219c482d39adef3bb600db47c4808480764c744fc37ad5451805e0db6fdf53c7
                                                                                                                                                                                • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                                                                                                • Instruction Fuzzy Hash: 1841027290424CEBDB25EFA0DC4AEEF3B6CFB44304F144426F92992152EB79DA548B54
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00749452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00749536
                                                                                                                                                                                • Sleep.KERNEL32(000001F4), ref: 0074955D
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ExecuteShellSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4194306370-3916222277
                                                                                                                                                                                • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                                                                                                • Instruction ID: ff1f4f068ed69e31fe36194be591787ceb3ccef477b7061d501fa6e8c11d93bd
                                                                                                                                                                                • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                                                                                                • Instruction Fuzzy Hash: E3411571804384AEEB778A68D88DBA7BBA49B02310F3440E5D282971E2E77C4D918711
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                                                                                                • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: FileWrite
                                                                                                                                                                                • String ID: ,k@
                                                                                                                                                                                • API String ID: 3934441357-1053005162
                                                                                                                                                                                • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                                                                                • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                                                                                                • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                                                                                • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074BC7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0074B9D9
                                                                                                                                                                                • InterlockedIncrement.KERNEL32(00413648), ref: 0074BA3A
                                                                                                                                                                                • InterlockedIncrement.KERNEL32(?), ref: 0074BA94
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0074BB79
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0074BB99
                                                                                                                                                                                • InterlockedIncrement.KERNEL32(?), ref: 0074BE15
                                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 0074BEB4
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                                • API String ID: 1869671989-2903620461
                                                                                                                                                                                • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                                                                                                • Instruction ID: c2df54dd6ab5b1124752b36b5f646c0dbfeaf672b73ee6afc5ad555f07d3f404
                                                                                                                                                                                • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                                                                                                • Instruction Fuzzy Hash: 8A319F71900258EFDF25DFA4DC88AED77B8EB88700F204066FA2482161DB39DE85CF10
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00408CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 536389180-1857712256
                                                                                                                                                                                • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                                                                                                • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                                                                                                                • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                                                                                                • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTickwsprintf
                                                                                                                                                                                • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                                                                                                • API String ID: 2424974917-1012700906
                                                                                                                                                                                • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                                                                                • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                                                                                                • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                                                                                • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                                                                                                  • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                                • API String ID: 3716169038-2903620461
                                                                                                                                                                                • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                                                                                • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                                                                                                • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                                                                                • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0074709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetUserNameW.ADVAPI32(?,?), ref: 007470BC
                                                                                                                                                                                • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 007470F4
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Name$AccountLookupUser
                                                                                                                                                                                • String ID: |
                                                                                                                                                                                • API String ID: 2370142434-2343686810
                                                                                                                                                                                • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                                                                • Instruction ID: f572759d8d8aa6e0e8aff4aaa37f5e7e3d837ea82455bfda58608e8463382bb9
                                                                                                                                                                                • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                                                                • Instruction Fuzzy Hash: CB11617290411CEBDF15CFE4DD84ADEB7BCAB48301F1441A6E501F6090E7749B88CBA0
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                                                                  • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                                                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 2777991786-1857712256
                                                                                                                                                                                • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                                                                                • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                                                                                                • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                                                                                • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                                                                                                • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: IncrementInterlockedlstrcpyn
                                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                                • API String ID: 224340156-2903620461
                                                                                                                                                                                • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                                                                                • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                                                                                                • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                                                                                • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                                                                                                • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: gethostbyaddrinet_ntoa
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 2112563974-1857712256
                                                                                                                                                                                • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                                                                                • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                                                                                                • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                                                                                • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                                                                                                                • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: gethostbynameinet_addr
                                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                                • API String ID: 1594361348-2401304539
                                                                                                                                                                                • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                                • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                                                                                                • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                                                                • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7558EA50,80000001,00000000), ref: 0040EAF2
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                                                • String ID: ntdll.dll
                                                                                                                                                                                • API String ID: 2574300362-2227199552
                                                                                                                                                                                • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                                                                                • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                                                                                                • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                                                                                • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,76132640,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                                                                                  • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575682515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1017166417-0
                                                                                                                                                                                • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                                                                                                • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                                                                                                • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                                                                                                • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 00743189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 00742F88: GetModuleHandleA.KERNEL32(?), ref: 00742FA1
                                                                                                                                                                                  • Part of subcall function 00742F88: LoadLibraryA.KERNEL32(?), ref: 00742FB1
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007431DA
                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 007431E1
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000010.00000002.1575964842.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_16_2_740000_wdkncqjt.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1017166417-0
                                                                                                                                                                                • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                                                                                                • Instruction ID: cb9aca7940ffeab1b22cffcc8ef01076bcec0416c2718d61b318512b16401b49
                                                                                                                                                                                • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                                                                                                • Instruction Fuzzy Hash: 8D519A3190024AEFCF019F64D8889FAB775FF15305F244169EC9AC7221E776DA19CB90
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:15%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                Signature Coverage:0.7%
                                                                                                                                                                                Total number of Nodes:1809
                                                                                                                                                                                Total number of Limit Nodes:18
                                                                                                                                                                                execution_graph 7921 25a195b 7922 25a196b 7921->7922 7923 25a1971 7921->7923 7924 25aec2e codecvt 4 API calls 7922->7924 7924->7923 8068 25a5099 8069 25a4bd1 4 API calls 8068->8069 8070 25a50a2 8069->8070 7925 25a43d2 7926 25a43e0 7925->7926 7927 25a43ef 7926->7927 7929 25a1940 7926->7929 7930 25aec2e codecvt 4 API calls 7929->7930 7931 25a1949 7930->7931 7931->7927 8071 25a4e92 GetTickCount 8072 25a4ec0 InterlockedExchange 8071->8072 8073 25a4ec9 8072->8073 8074 25a4ead GetTickCount 8072->8074 8074->8073 8075 25a4eb8 Sleep 8074->8075 8075->8072 7932 25a5453 7937 25a543a 7932->7937 7940 25a5048 7937->7940 7941 25a4bd1 4 API calls 7940->7941 7943 25a5056 7941->7943 7942 25a508b 7943->7942 7944 25aec2e codecvt 4 API calls 7943->7944 7944->7942 7945 25a4ed3 7950 25a4c9a 7945->7950 7951 25a4cd8 7950->7951 7953 25a4ca9 7950->7953 7952 25aec2e codecvt 4 API calls 7952->7951 7953->7952 8076 25a5d93 IsBadWritePtr 8077 25a5ddc 8076->8077 8078 25a5da8 8076->8078 8078->8077 8080 25a5389 8078->8080 8081 25a4bd1 4 API calls 8080->8081 8082 25a53a5 8081->8082 8083 25a4ae6 6 API calls 8082->8083 8086 25a53ad 8083->8086 8084 25a5407 8084->8077 8085 25a4ae6 6 API calls 8085->8086 8086->8084 8086->8085 7954 25a8c51 7955 25a8c5d 7954->7955 7956 25a8c86 7954->7956 7959 25a8c6e 7955->7959 7960 25a8c7d 7955->7960 7957 25a8c8b lstrcmpA 7956->7957 7967 25a8c7b 7956->7967 7958 25a8c9e 7957->7958 7957->7967 7961 25a8cad 7958->7961 7964 25aec2e codecvt 4 API calls 7958->7964 7968 25a8be7 7959->7968 7976 25a8bb3 7960->7976 7966 25aebcc 3 API calls 7961->7966 7961->7967 7964->7961 7966->7967 7969 25a8c2a 7968->7969 7970 25a8bf2 7968->7970 7969->7967 7971 25a8bb3 6 API calls 7970->7971 7972 25a8bf8 7971->7972 7980 25a6410 7972->7980 7974 25a8c01 7974->7969 7995 25a6246 7974->7995 7977 25a8be4 7976->7977 7978 25a8bbc 7976->7978 7978->7977 7979 25a6246 6 API calls 7978->7979 7979->7977 7981 25a641e 7980->7981 7982 25a6421 7980->7982 7981->7974 7983 25a643a 7982->7983 7984 25a643e VirtualAlloc 7982->7984 7983->7974 7985 25a645b VirtualAlloc 7984->7985 7986 25a6472 7984->7986 7985->7986 7994 25a64fb 7985->7994 7987 25aebcc 3 API calls 7986->7987 7988 25a6479 7987->7988 7988->7994 8005 25a6069 7988->8005 7991 25a64da 7993 25a6246 6 API calls 7991->7993 7991->7994 7993->7994 7994->7974 7996 25a62b3 7995->7996 8001 25a6252 7995->8001 7996->7969 7997 25a6297 7998 25a62ad 7997->7998 7999 25a62a0 VirtualFree 7997->7999 8002 25aec2e codecvt 4 API calls 7998->8002 7999->7998 8000 25a628f 8004 25aec2e codecvt 4 API calls 8000->8004 8001->7997 8001->8000 8003 25a6281 FreeLibrary 8001->8003 8002->7996 8003->8001 8004->7997 8006 25a6090 IsBadReadPtr 8005->8006 8008 25a6089 8005->8008 8006->8008 8011 25a60aa 8006->8011 8007 25a60c0 LoadLibraryA 8007->8008 8007->8011 8008->7991 8015 25a5f3f 8008->8015 8009 25aebcc 3 API calls 8009->8011 8010 25aebed 6 API calls 8010->8011 8011->8007 8011->8008 8011->8009 8011->8010 8012 25a6191 IsBadReadPtr 8011->8012 8013 25a6141 GetProcAddress 8011->8013 8014 25a6155 GetProcAddress 8011->8014 8012->8008 8012->8011 8013->8011 8014->8011 8016 25a5fe6 8015->8016 8018 25a5f61 8015->8018 8016->7991 8017 25a5fbf VirtualProtect 8017->8016 8017->8018 8018->8016 8018->8017 8087 25a6511 wsprintfA IsBadReadPtr 8088 25a656a htonl htonl wsprintfA wsprintfA 8087->8088 8089 25a674e 8087->8089 8093 25a65f3 8088->8093 8090 25ae318 21 API calls 8089->8090 8091 25a6753 ExitProcess 8090->8091 8092 25a668a GetCurrentProcess StackWalk64 8092->8093 8094 25a66a0 wsprintfA 8092->8094 8093->8092 8093->8094 8096 25a6652 wsprintfA 8093->8096 8095 25a66ba 8094->8095 8097 25a6712 wsprintfA 8095->8097 8098 25a66da wsprintfA 8095->8098 8099 25a66ed wsprintfA 8095->8099 8096->8093 8100 25ae8a1 28 API calls 8097->8100 8098->8099 8099->8095 8101 25a6739 8100->8101 8102 25ae318 21 API calls 8101->8102 8103 25a6741 8102->8103 8104 25a8314 8105 25a675c 20 API calls 8104->8105 8106 25a8324 8105->8106 8019 25a444a 8020 25a4458 8019->8020 8021 25a446a 8020->8021 8022 25a1940 4 API calls 8020->8022 8022->8021 8023 25ae749 8024 25add05 6 API calls 8023->8024 8025 25ae751 8024->8025 8026 25ae781 lstrcmpA 8025->8026 8027 25ae799 8025->8027 8026->8025 8028 25a5e4d 8029 25a5048 8 API calls 8028->8029 8030 25a5e55 8029->8030 8031 25a1940 4 API calls 8030->8031 8032 25a5e64 8030->8032 8031->8032 8120 25a5e0d 8123 25a50dc 8120->8123 8122 25a5e20 8124 25a4bd1 4 API calls 8123->8124 8125 25a50f2 8124->8125 8126 25a4ae6 6 API calls 8125->8126 8132 25a50ff 8126->8132 8127 25a5130 8129 25a4ae6 6 API calls 8127->8129 8128 25a4ae6 6 API calls 8130 25a5110 lstrcmpA 8128->8130 8131 25a5138 8129->8131 8130->8127 8130->8132 8133 25a516e 8131->8133 8135 25a4ae6 6 API calls 8131->8135 8165 25a513e 8131->8165 8132->8127 8132->8128 8134 25a4ae6 6 API calls 8132->8134 8137 25a4ae6 6 API calls 8133->8137 8133->8165 8134->8132 8136 25a515e 8135->8136 8136->8133 8139 25a4ae6 6 API calls 8136->8139 8138 25a51b6 8137->8138 8166 25a4a3d 8138->8166 8139->8133 8142 25a4ae6 6 API calls 8143 25a51c7 8142->8143 8144 25a4ae6 6 API calls 8143->8144 8145 25a51d7 8144->8145 8146 25a4ae6 6 API calls 8145->8146 8147 25a51e7 8146->8147 8148 25a4ae6 6 API calls 8147->8148 8147->8165 8149 25a5219 8148->8149 8150 25a4ae6 6 API calls 8149->8150 8151 25a5227 8150->8151 8152 25a4ae6 6 API calls 8151->8152 8153 25a524f lstrcpyA 8152->8153 8154 25a4ae6 6 API calls 8153->8154 8157 25a5263 8154->8157 8155 25a4ae6 6 API calls 8156 25a5315 8155->8156 8158 25a4ae6 6 API calls 8156->8158 8157->8155 8159 25a5323 8158->8159 8160 25a4ae6 6 API calls 8159->8160 8162 25a5331 8160->8162 8161 25a4ae6 6 API calls 8161->8162 8162->8161 8163 25a4ae6 6 API calls 8162->8163 8162->8165 8164 25a5351 lstrcmpA 8163->8164 8164->8162 8164->8165 8165->8122 8167 25a4a4a 8166->8167 8168 25a4a53 8166->8168 8169 25aebed 6 API calls 8167->8169 8170 25a4a78 8168->8170 8171 25aebed 6 API calls 8168->8171 8169->8168 8172 25a4a8e 8170->8172 8173 25a4aa3 8170->8173 8171->8170 8174 25aec2e codecvt 4 API calls 8172->8174 8176 25a4a9b 8172->8176 8175 25aebed 6 API calls 8173->8175 8173->8176 8174->8176 8175->8176 8176->8142 8177 25a4c0d 8178 25a4ae6 6 API calls 8177->8178 8179 25a4c17 8178->8179 8180 25af483 WSAStartup 8181 25af304 8184 25af26d setsockopt setsockopt setsockopt setsockopt setsockopt 8181->8184 8183 25af312 8184->8183 8185 25a5b84 IsBadWritePtr 8186 25a5b99 8185->8186 8187 25a5b9d 8185->8187 8188 25a4bd1 4 API calls 8187->8188 8189 25a5bcc 8188->8189 8190 25a5472 16 API calls 8189->8190 8191 25a5be5 8190->8191 8192 25a5c05 IsBadWritePtr 8193 25a5c24 IsBadWritePtr 8192->8193 8200 25a5ca6 8192->8200 8194 25a5c32 8193->8194 8193->8200 8195 25a5c82 8194->8195 8196 25a4bd1 4 API calls 8194->8196 8197 25a4bd1 4 API calls 8195->8197 8196->8195 8198 25a5c90 8197->8198 8199 25a5472 16 API calls 8198->8199 8199->8200 8201 25abe31 lstrcmpiA 8202 25abe55 lstrcmpiA 8201->8202 8208 25abe71 8201->8208 8203 25abe61 lstrcmpiA 8202->8203 8202->8208 8203->8208 8213 25abfc8 8203->8213 8204 25abf62 lstrcmpiA 8205 25abf70 8204->8205 8206 25abf77 lstrcmpiA 8204->8206 8209 25abfc2 8205->8209 8211 25aec2e codecvt 4 API calls 8205->8211 8205->8213 8206->8205 8207 25abf8c lstrcmpiA 8206->8207 8207->8205 8208->8204 8212 25aebcc 3 API calls 8208->8212 8210 25aec2e codecvt 4 API calls 8209->8210 8210->8213 8211->8205 8216 25abeb6 8212->8216 8214 25abf5a 8214->8204 8215 25aebcc 3 API calls 8215->8216 8216->8204 8216->8213 8216->8214 8216->8215 8217 25a5d34 IsBadWritePtr 8218 25a5d47 8217->8218 8219 25a5d4a 8217->8219 8220 25a5389 10 API calls 8219->8220 8221 25a5d80 8220->8221 6148 25a9a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6264 25aec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6148->6264 6150 25a9a95 6151 25a9aa3 GetModuleHandleA GetModuleFileNameA 6150->6151 6157 25aa3cc 6150->6157 6160 25a9ac4 6151->6160 6152 25aa41c CreateThread WSAStartup 6265 25ae52e 6152->6265 7340 25a405e CreateEventA 6152->7340 6154 25a9afd GetCommandLineA 6165 25a9b22 6154->6165 6155 25aa406 DeleteFileA 6155->6157 6158 25aa40d 6155->6158 6156 25aa445 6284 25aeaaf 6156->6284 6157->6152 6157->6155 6157->6158 6161 25aa3ed GetLastError 6157->6161 6158->6152 6160->6154 6161->6158 6163 25aa3f8 Sleep 6161->6163 6162 25aa44d 6288 25a1d96 6162->6288 6163->6155 6168 25a9c0c 6165->6168 6175 25a9b47 6165->6175 6166 25aa457 6336 25a80c9 6166->6336 6528 25a96aa 6168->6528 6179 25a9b96 lstrlenA 6175->6179 6181 25a9b58 6175->6181 6176 25a9c39 6180 25aa167 GetModuleHandleA GetModuleFileNameA 6176->6180 6534 25a4280 CreateEventA 6176->6534 6177 25aa1d2 6183 25aa1e3 GetCommandLineA 6177->6183 6179->6181 6182 25a9c05 ExitProcess 6180->6182 6185 25aa189 6180->6185 6181->6182 6487 25a675c 6181->6487 6208 25aa205 6183->6208 6185->6182 6191 25aa1b2 GetDriveTypeA 6185->6191 6191->6182 6194 25aa1c5 6191->6194 6635 25a9145 GetModuleHandleA GetModuleFileNameA CharToOemA 6194->6635 6195 25a675c 20 API calls 6197 25a9c79 6195->6197 6197->6180 6204 25a9e3e 6197->6204 6205 25a9ca0 GetTempPathA 6197->6205 6198 25a9bff 6198->6182 6200 25aa491 6201 25aa49f GetTickCount 6200->6201 6202 25aa4be Sleep 6200->6202 6207 25aa4b7 GetTickCount 6200->6207 6383 25ac913 6200->6383 6201->6200 6201->6202 6202->6200 6211 25a9e6b GetEnvironmentVariableA 6204->6211 6215 25a9e04 6204->6215 6205->6204 6206 25a9cba 6205->6206 6560 25a99d2 lstrcpyA 6206->6560 6207->6202 6212 25aa285 lstrlenA 6208->6212 6225 25aa239 6208->6225 6211->6215 6216 25a9e7d 6211->6216 6212->6225 6630 25aec2e 6215->6630 6217 25a99d2 16 API calls 6216->6217 6218 25a9e9d 6217->6218 6218->6215 6223 25a9eb0 lstrcpyA lstrlenA 6218->6223 6221 25a9d5f 6574 25a6cc9 6221->6574 6222 25aa3c2 6647 25a98f2 6222->6647 6227 25a9ef4 6223->6227 6643 25a6ec3 6225->6643 6231 25a6dc2 6 API calls 6227->6231 6233 25a9f03 6227->6233 6228 25aa39d StartServiceCtrlDispatcherA 6228->6222 6229 25a9d72 lstrcpyA lstrcatA lstrcatA 6232 25a9cf6 6229->6232 6230 25aa3c7 6230->6157 6231->6233 6583 25a9326 6232->6583 6234 25a9f32 RegOpenKeyExA 6233->6234 6235 25a9f48 RegSetValueExA RegCloseKey 6234->6235 6239 25a9f70 6234->6239 6235->6239 6236 25aa35f 6236->6222 6236->6228 6244 25a9f9d GetModuleHandleA GetModuleFileNameA 6239->6244 6240 25a9dde GetFileAttributesExA 6241 25a9e0c DeleteFileA 6240->6241 6243 25a9df7 6240->6243 6241->6204 6243->6215 6620 25a96ff 6243->6620 6246 25aa093 6244->6246 6247 25a9fc2 6244->6247 6248 25aa103 CreateProcessA 6246->6248 6251 25aa0a4 wsprintfA 6246->6251 6247->6246 6252 25a9ff1 GetDriveTypeA 6247->6252 6249 25aa13a 6248->6249 6250 25aa12a DeleteFileA 6248->6250 6249->6215 6256 25a96ff 3 API calls 6249->6256 6250->6249 6626 25a2544 6251->6626 6252->6246 6254 25aa00d 6252->6254 6259 25aa02d lstrcatA 6254->6259 6256->6215 6260 25aa046 6259->6260 6261 25aa052 lstrcatA 6260->6261 6262 25aa064 lstrcatA 6260->6262 6261->6262 6262->6246 6263 25aa081 lstrcatA 6262->6263 6263->6246 6264->6150 6654 25add05 GetTickCount 6265->6654 6267 25ae538 6662 25adbcf 6267->6662 6269 25ae544 6270 25ae555 GetFileSize 6269->6270 6275 25ae5b8 6269->6275 6271 25ae5b1 CloseHandle 6270->6271 6272 25ae566 6270->6272 6271->6275 6686 25adb2e 6272->6686 6672 25ae3ca RegOpenKeyExA 6275->6672 6276 25ae576 ReadFile 6276->6271 6278 25ae58d 6276->6278 6690 25ae332 6278->6690 6280 25ae5f2 6282 25ae3ca 17 API calls 6280->6282 6283 25ae629 6280->6283 6282->6283 6283->6156 6285 25aeaba 6284->6285 6286 25aeabe 6284->6286 6285->6162 6286->6285 6287 25add05 6 API calls 6286->6287 6287->6285 6289 25aee2a 6288->6289 6290 25a1db4 GetVersionExA 6289->6290 6291 25a1dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6290->6291 6293 25a1e16 GetCurrentProcess 6291->6293 6294 25a1e24 6291->6294 6293->6294 6750 25ae819 6294->6750 6296 25a1e3d 6297 25ae819 11 API calls 6296->6297 6298 25a1e4e 6297->6298 6299 25a1e77 6298->6299 6790 25adf70 6298->6790 6757 25aea84 6299->6757 6303 25a1e6c 6305 25adf70 12 API calls 6303->6305 6304 25ae819 11 API calls 6306 25a1e93 6304->6306 6305->6299 6761 25a199c inet_addr LoadLibraryA 6306->6761 6309 25ae819 11 API calls 6310 25a1eb9 6309->6310 6311 25a1ed8 6310->6311 6313 25af04e 4 API calls 6310->6313 6312 25ae819 11 API calls 6311->6312 6314 25a1eee 6312->6314 6315 25a1ec9 6313->6315 6316 25a1f0a 6314->6316 6774 25a1b71 6314->6774 6317 25aea84 28 API calls 6315->6317 6319 25ae819 11 API calls 6316->6319 6317->6311 6321 25a1f23 6319->6321 6320 25a1efd 6322 25aea84 28 API calls 6320->6322 6323 25a1f3f 6321->6323 6778 25a1bdf 6321->6778 6322->6316 6324 25ae819 11 API calls 6323->6324 6326 25a1f5e 6324->6326 6328 25a1f77 6326->6328 6330 25aea84 28 API calls 6326->6330 6786 25a30b5 6328->6786 6329 25aea84 28 API calls 6329->6323 6330->6328 6334 25a6ec3 2 API calls 6335 25a1f8e GetTickCount 6334->6335 6335->6166 6337 25a6ec3 2 API calls 6336->6337 6338 25a80eb 6337->6338 6339 25a80f9 6338->6339 6340 25a80ef 6338->6340 6857 25a704c 6339->6857 6844 25a7ee6 6340->6844 6343 25a8269 CreateThread 6362 25a5e6c 6343->6362 7318 25a877e 6343->7318 6344 25a80f4 6344->6343 6346 25a675c 20 API calls 6344->6346 6345 25a8110 6345->6344 6347 25a8156 RegOpenKeyExA 6345->6347 6352 25a8244 6346->6352 6348 25a816d RegQueryValueExA 6347->6348 6349 25a8216 6347->6349 6350 25a818d 6348->6350 6351 25a81f7 6348->6351 6349->6344 6350->6351 6356 25aebcc 3 API calls 6350->6356 6353 25a820d RegCloseKey 6351->6353 6355 25aec2e codecvt 4 API calls 6351->6355 6352->6343 6354 25aec2e codecvt 4 API calls 6352->6354 6353->6349 6354->6343 6361 25a81dd 6355->6361 6357 25a81a0 6356->6357 6357->6353 6358 25a81aa RegQueryValueExA 6357->6358 6358->6351 6359 25a81c4 6358->6359 6360 25aebcc 3 API calls 6359->6360 6360->6361 6361->6353 6959 25aec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6362->6959 6364 25a5e71 6960 25ae654 6364->6960 6366 25a5ec1 6367 25a3132 6366->6367 6368 25adf70 12 API calls 6367->6368 6369 25a313b 6368->6369 6370 25ac125 6369->6370 6971 25aec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6370->6971 6372 25ac12d 6373 25ae654 12 API calls 6372->6373 6374 25ac2bd 6373->6374 6375 25ae654 12 API calls 6374->6375 6376 25ac2c9 6375->6376 6377 25ae654 12 API calls 6376->6377 6378 25aa47a 6377->6378 6379 25a8db1 6378->6379 6380 25a8dbc 6379->6380 6381 25ae654 12 API calls 6380->6381 6382 25a8dec Sleep 6381->6382 6382->6200 6384 25ac92f 6383->6384 6385 25ac93c 6384->6385 6983 25ac517 6384->6983 6387 25aca2b 6385->6387 6388 25ae819 11 API calls 6385->6388 6387->6200 6389 25ac96a 6388->6389 6390 25ae819 11 API calls 6389->6390 6391 25ac97d 6390->6391 6392 25ae819 11 API calls 6391->6392 6393 25ac990 6392->6393 6394 25ac9aa 6393->6394 6395 25aebcc 3 API calls 6393->6395 6394->6387 6972 25a2684 6394->6972 6395->6394 6400 25aca26 7000 25ac8aa 6400->7000 6403 25aca44 6404 25aca4b closesocket 6403->6404 6405 25aca83 6403->6405 6404->6400 6406 25aea84 28 API calls 6405->6406 6407 25acaac 6406->6407 6408 25af04e 4 API calls 6407->6408 6409 25acab2 6408->6409 6410 25aea84 28 API calls 6409->6410 6411 25acaca 6410->6411 6412 25aea84 28 API calls 6411->6412 6413 25acad9 6412->6413 7004 25ac65c 6413->7004 6416 25acb60 closesocket 6416->6387 6418 25adad2 closesocket 6419 25ae318 21 API calls 6418->6419 6420 25adae0 6419->6420 6420->6387 6421 25adf4c 18 API calls 6481 25acb70 6421->6481 6426 25ae654 12 API calls 6426->6481 6428 25ac65c send GetProcessHeap HeapSize GetProcessHeap 6428->6481 6433 25aea84 28 API calls 6433->6481 6434 25ad569 closesocket Sleep 7051 25ae318 6434->7051 6435 25ad815 wsprintfA 6435->6481 6436 25acc1c GetTempPathA 6436->6481 6437 25a7ead 6 API calls 6437->6481 6438 25ac517 22 API calls 6438->6481 6440 25af04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6440->6481 6441 25ae8a1 28 API calls 6441->6481 6442 25ad582 ExitProcess 6443 25acfe3 GetSystemDirectoryA 6443->6481 6444 25acfad GetEnvironmentVariableA 6444->6481 6445 25a675c 20 API calls 6445->6481 6446 25ad027 GetSystemDirectoryA 6446->6481 6447 25ad105 lstrcatA 6447->6481 6448 25aef1e lstrlenA 6448->6481 6449 25aec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6449->6481 6450 25acc9f CreateFileA 6451 25accc6 WriteFile 6450->6451 6450->6481 6454 25acdcc CloseHandle 6451->6454 6455 25acced CloseHandle 6451->6455 6452 25ad15b CreateFileA 6453 25ad182 WriteFile CloseHandle 6452->6453 6452->6481 6453->6481 6454->6481 6461 25acd2f 6455->6461 6456 25ad149 SetFileAttributesA 6456->6452 6457 25acd16 wsprintfA 6457->6461 6458 25ad36e GetEnvironmentVariableA 6458->6481 6459 25ad1bf SetFileAttributesA 6459->6481 6460 25a8e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6460->6481 6461->6457 7033 25a7fcf 6461->7033 6462 25ad22d GetEnvironmentVariableA 6462->6481 6463 25ad3af lstrcatA 6466 25ad3f2 CreateFileA 6463->6466 6463->6481 6465 25a7fcf 64 API calls 6465->6481 6468 25ad415 WriteFile CloseHandle 6466->6468 6466->6481 6468->6481 6469 25acda5 6472 25a7ee6 64 API calls 6469->6472 6470 25acd81 WaitForSingleObject CloseHandle CloseHandle 6471 25af04e 4 API calls 6470->6471 6471->6469 6473 25acdbd DeleteFileA 6472->6473 6473->6481 6474 25ad4b1 CreateProcessA 6477 25ad4e8 CloseHandle CloseHandle 6474->6477 6474->6481 6475 25ad3e0 SetFileAttributesA 6475->6466 6476 25ad26e lstrcatA 6478 25ad2b1 CreateFileA 6476->6478 6476->6481 6477->6481 6478->6481 6482 25ad2d8 WriteFile CloseHandle 6478->6482 6479 25a7ee6 64 API calls 6479->6481 6480 25ad452 SetFileAttributesA 6480->6481 6481->6418 6481->6421 6481->6426 6481->6428 6481->6433 6481->6434 6481->6435 6481->6436 6481->6437 6481->6438 6481->6440 6481->6441 6481->6443 6481->6444 6481->6445 6481->6446 6481->6447 6481->6448 6481->6449 6481->6450 6481->6452 6481->6456 6481->6458 6481->6459 6481->6460 6481->6462 6481->6463 6481->6465 6481->6466 6481->6474 6481->6475 6481->6476 6481->6478 6481->6479 6481->6480 6484 25ad29f SetFileAttributesA 6481->6484 6486 25ad31d SetFileAttributesA 6481->6486 7012 25ac75d 6481->7012 7024 25a7e2f 6481->7024 7046 25a7ead 6481->7046 7056 25a31d0 6481->7056 7073 25a3c09 6481->7073 7083 25a3a00 6481->7083 7087 25ae7b4 6481->7087 7090 25ac06c 6481->7090 7096 25a6f5f GetUserNameA 6481->7096 7107 25ae854 6481->7107 7117 25a7dd6 6481->7117 6482->6481 6484->6478 6486->6481 6488 25a677a SetFileAttributesA 6487->6488 6489 25a6784 CreateFileA 6487->6489 6488->6489 6490 25a67a4 CreateFileA 6489->6490 6491 25a67b5 6489->6491 6490->6491 6492 25a67ba SetFileAttributesA 6491->6492 6493 25a67c5 6491->6493 6492->6493 6494 25a67cf GetFileSize 6493->6494 6495 25a6977 6493->6495 6496 25a67e5 6494->6496 6514 25a6965 6494->6514 6495->6182 6515 25a6a60 CreateFileA 6495->6515 6498 25a67ed ReadFile 6496->6498 6496->6514 6497 25a696e FindCloseChangeNotification 6497->6495 6499 25a6811 SetFilePointer 6498->6499 6498->6514 6500 25a682a ReadFile 6499->6500 6499->6514 6501 25a6848 SetFilePointer 6500->6501 6500->6514 6502 25a6867 6501->6502 6501->6514 6503 25a6878 ReadFile 6502->6503 6504 25a68d5 6502->6504 6506 25a6891 6503->6506 6508 25a68d0 6503->6508 6504->6497 6505 25aebcc 3 API calls 6504->6505 6507 25a68f8 6505->6507 6506->6503 6506->6508 6509 25a6900 SetFilePointer 6507->6509 6507->6514 6508->6504 6510 25a695a 6509->6510 6511 25a690d ReadFile 6509->6511 6513 25aec2e codecvt 4 API calls 6510->6513 6511->6510 6512 25a6922 6511->6512 6512->6497 6513->6514 6514->6497 6516 25a6a8f GetDiskFreeSpaceA 6515->6516 6517 25a6b8c GetLastError 6515->6517 6518 25a6ac5 6516->6518 6527 25a6ad7 6516->6527 6525 25a6b86 6517->6525 7202 25aeb0e 6518->7202 6522 25a6b56 CloseHandle 6522->6525 6526 25a6b65 GetLastError CloseHandle 6522->6526 6523 25a6b36 GetLastError CloseHandle 6524 25a6b7f DeleteFileA 6523->6524 6524->6525 6525->6198 6526->6524 7206 25a6987 6527->7206 6529 25a96b9 6528->6529 6530 25a73ff 17 API calls 6529->6530 6531 25a96e2 6530->6531 6532 25a96f7 6531->6532 6533 25a704c 16 API calls 6531->6533 6532->6176 6532->6177 6533->6532 6535 25a429d 6534->6535 6536 25a42a5 6534->6536 6535->6180 6535->6195 7212 25a3ecd 6536->7212 6538 25a42b0 7216 25a4000 6538->7216 6540 25a43c1 CloseHandle 6540->6535 6541 25a42b6 6541->6535 6541->6540 7222 25a3f18 WriteFile 6541->7222 6546 25a43ba CloseHandle 6546->6540 6547 25a4318 6548 25a3f18 4 API calls 6547->6548 6549 25a4331 6548->6549 6550 25a3f18 4 API calls 6549->6550 6551 25a434a 6550->6551 6552 25aebcc 3 API calls 6551->6552 6553 25a4350 6552->6553 6554 25a3f18 4 API calls 6553->6554 6555 25a4389 6554->6555 6556 25aec2e codecvt 4 API calls 6555->6556 6557 25a438f 6556->6557 6558 25a3f8c 4 API calls 6557->6558 6559 25a439f CloseHandle CloseHandle 6558->6559 6559->6535 6561 25a99eb 6560->6561 6562 25a9a2f lstrcatA 6561->6562 6563 25aee2a 6562->6563 6564 25a9a4b lstrcatA 6563->6564 6565 25a6a60 13 API calls 6564->6565 6566 25a9a60 6565->6566 6566->6204 6566->6232 6567 25a6dc2 6566->6567 6568 25a6e33 6567->6568 6569 25a6dd7 6567->6569 6568->6221 6570 25a6cc9 5 API calls 6569->6570 6571 25a6ddc 6570->6571 6571->6571 6572 25a6e02 GetVolumeInformationA 6571->6572 6573 25a6e24 6571->6573 6572->6573 6573->6568 6575 25a6cdc GetModuleHandleA GetProcAddress 6574->6575 6580 25a6d8b 6574->6580 6576 25a6d12 GetSystemDirectoryA 6575->6576 6579 25a6cfd 6575->6579 6577 25a6d1e 6576->6577 6578 25a6d27 GetWindowsDirectoryA 6576->6578 6577->6578 6577->6580 6582 25a6d42 6578->6582 6579->6576 6579->6580 6580->6229 6581 25aef1e lstrlenA 6581->6580 6582->6581 7230 25a1910 6583->7230 6586 25a934a GetModuleHandleA GetModuleFileNameA 6588 25a937f 6586->6588 6589 25a93d9 6588->6589 6590 25a93a4 6588->6590 6591 25a9401 wsprintfA 6589->6591 6592 25a93c3 wsprintfA 6590->6592 6593 25a9415 6591->6593 6592->6593 6596 25a6cc9 5 API calls 6593->6596 6616 25a94a0 6593->6616 6594 25a6edd 5 API calls 6595 25a94ac 6594->6595 6597 25a962f 6595->6597 6599 25a94e8 RegOpenKeyExA 6595->6599 6598 25a9439 6596->6598 6603 25a9646 6597->6603 7245 25a1820 6597->7245 6607 25aef1e lstrlenA 6598->6607 6601 25a94fb 6599->6601 6602 25a9502 6599->6602 6601->6597 6605 25a958a 6601->6605 6606 25a951f RegQueryValueExA 6602->6606 6612 25a95d6 6603->6612 7251 25a91eb 6603->7251 6605->6603 6608 25a9593 6605->6608 6609 25a9539 6606->6609 6610 25a9530 6606->6610 6611 25a9462 6607->6611 6608->6612 7232 25af0e4 6608->7232 6614 25a9556 RegQueryValueExA 6609->6614 6613 25a956e RegCloseKey 6610->6613 6615 25a947e wsprintfA 6611->6615 6612->6240 6612->6241 6613->6601 6614->6610 6614->6613 6615->6616 6616->6594 6618 25a95bb 6618->6612 7239 25a18e0 6618->7239 6621 25a2544 6620->6621 6622 25a972d RegOpenKeyExA 6621->6622 6623 25a9740 6622->6623 6624 25a9765 6622->6624 6625 25a974f RegDeleteValueA RegCloseKey 6623->6625 6624->6215 6625->6624 6627 25a2554 lstrcatA 6626->6627 6628 25aee2a 6627->6628 6629 25aa0ec lstrcatA 6628->6629 6629->6248 6631 25aa15d 6630->6631 6632 25aec37 6630->6632 6631->6180 6631->6182 6633 25aeba0 codecvt 2 API calls 6632->6633 6634 25aec3d GetProcessHeap RtlFreeHeap 6633->6634 6634->6631 6636 25a2544 6635->6636 6637 25a919e wsprintfA 6636->6637 6638 25a91bb 6637->6638 7289 25a9064 GetTempPathA 6638->7289 6641 25a91e7 6641->6198 6642 25a91d5 ShellExecuteA 6642->6641 6644 25a6ecc 6643->6644 6646 25a6ed5 6643->6646 6645 25a6e36 2 API calls 6644->6645 6645->6646 6646->6236 6648 25a98f6 6647->6648 6649 25a4280 29 API calls 6648->6649 6650 25a9904 Sleep 6648->6650 6651 25a9915 6648->6651 6649->6648 6650->6648 6650->6651 6652 25a9947 6651->6652 7296 25a977c 6651->7296 6652->6230 6655 25add41 InterlockedExchange 6654->6655 6656 25add4a 6655->6656 6657 25add20 GetCurrentThreadId 6655->6657 6658 25add53 GetCurrentThreadId 6656->6658 6657->6658 6659 25add2e GetTickCount 6657->6659 6658->6267 6660 25add39 Sleep 6659->6660 6661 25add4c 6659->6661 6660->6655 6661->6658 6663 25adbf0 6662->6663 6695 25adb67 GetEnvironmentVariableA 6663->6695 6665 25adcda 6665->6269 6666 25adc19 6666->6665 6667 25adb67 3 API calls 6666->6667 6668 25adc5c 6667->6668 6668->6665 6669 25adb67 3 API calls 6668->6669 6670 25adc9b 6669->6670 6670->6665 6671 25adb67 3 API calls 6670->6671 6671->6665 6673 25ae528 6672->6673 6674 25ae3f4 6672->6674 6673->6280 6675 25ae434 RegQueryValueExA 6674->6675 6676 25ae458 6675->6676 6677 25ae51d RegCloseKey 6675->6677 6678 25ae46e RegQueryValueExA 6676->6678 6677->6673 6678->6676 6679 25ae488 6678->6679 6679->6677 6680 25adb2e 6 API calls 6679->6680 6681 25ae499 6680->6681 6681->6677 6682 25ae4b9 RegQueryValueExA 6681->6682 6683 25ae4e8 6681->6683 6682->6681 6682->6683 6683->6677 6684 25ae332 12 API calls 6683->6684 6685 25ae513 6684->6685 6685->6677 6687 25adb3a 6686->6687 6688 25adb55 6686->6688 6699 25aebed 6687->6699 6688->6271 6688->6276 6719 25af04e SystemTimeToFileTime GetSystemTimeAsFileTime 6690->6719 6692 25ae3be 6692->6271 6693 25ae342 6693->6692 6722 25ade24 6693->6722 6696 25adbca 6695->6696 6697 25adb89 lstrcpyA CreateFileA 6695->6697 6696->6666 6697->6666 6700 25aec01 6699->6700 6701 25aebf6 6699->6701 6713 25aeba0 6700->6713 6709 25aebcc GetProcessHeap 6701->6709 6706 25aec20 6716 25aeb74 6706->6716 6710 25aebe0 6709->6710 6711 25aeb74 2 API calls 6710->6711 6712 25aebe8 6711->6712 6712->6688 6714 25aebbf GetProcessHeap 6713->6714 6715 25aeba7 GetProcessHeap HeapSize 6713->6715 6714->6706 6715->6714 6717 25aeb7b GetProcessHeap HeapSize 6716->6717 6718 25aeb93 6716->6718 6717->6718 6718->6688 6733 25aeb41 6719->6733 6721 25af0b7 6721->6693 6723 25ade3a 6722->6723 6730 25ade4e 6723->6730 6742 25add84 6723->6742 6726 25ade9e 6727 25aebed 6 API calls 6726->6727 6726->6730 6731 25adef6 6727->6731 6728 25ade76 6746 25addcf 6728->6746 6730->6693 6731->6730 6732 25addcf lstrcmpA 6731->6732 6732->6730 6734 25aeb4a 6733->6734 6735 25aeb61 6733->6735 6738 25aeae4 6734->6738 6735->6721 6737 25aeb54 6737->6721 6737->6735 6739 25aeaed LoadLibraryA 6738->6739 6740 25aeb02 GetProcAddress 6738->6740 6739->6740 6741 25aeb01 6739->6741 6740->6737 6741->6737 6743 25add96 6742->6743 6744 25addc5 6742->6744 6743->6744 6745 25addad lstrcmpiA 6743->6745 6744->6726 6744->6728 6745->6743 6745->6744 6747 25ade20 6746->6747 6749 25adddd 6746->6749 6747->6730 6748 25addfa lstrcmpA 6748->6749 6749->6747 6749->6748 6751 25add05 6 API calls 6750->6751 6752 25ae821 6751->6752 6753 25add84 lstrcmpiA 6752->6753 6754 25ae82c 6753->6754 6756 25ae844 6754->6756 6799 25a2480 6754->6799 6756->6296 6758 25aea98 6757->6758 6808 25ae8a1 6758->6808 6760 25a1e84 6760->6304 6762 25a19ce 6761->6762 6763 25a19d5 GetProcAddress GetProcAddress GetProcAddress 6761->6763 6762->6309 6764 25a1ab3 FreeLibrary 6763->6764 6765 25a1a04 6763->6765 6764->6762 6765->6764 6766 25a1a14 GetBestInterface GetProcessHeap 6765->6766 6766->6762 6767 25a1a2e 6766->6767 6767->6762 6768 25a1a42 GetAdaptersInfo 6767->6768 6771 25a1a52 6768->6771 6769 25a1a69 GetAdaptersInfo 6770 25a1aa1 FreeLibrary 6769->6770 6772 25a1a75 HeapFree 6769->6772 6770->6762 6771->6769 6771->6770 6772->6770 6836 25a1ac3 LoadLibraryA 6774->6836 6777 25a1bcf 6777->6320 6779 25a1ac3 11 API calls 6778->6779 6780 25a1c09 6779->6780 6781 25a1c5a 6780->6781 6782 25a1c0d GetComputerNameA 6780->6782 6781->6329 6783 25a1c1f 6782->6783 6784 25a1c45 GetVolumeInformationA 6782->6784 6783->6784 6785 25a1c41 6783->6785 6784->6781 6785->6781 6787 25aee2a 6786->6787 6788 25a30d0 gethostname gethostbyname 6787->6788 6789 25a1f82 6788->6789 6789->6334 6789->6335 6791 25add05 6 API calls 6790->6791 6792 25adf7c 6791->6792 6793 25add84 lstrcmpiA 6792->6793 6797 25adf89 6793->6797 6794 25adfc4 6794->6303 6795 25addcf lstrcmpA 6795->6797 6796 25aec2e codecvt 4 API calls 6796->6797 6797->6794 6797->6795 6797->6796 6798 25add84 lstrcmpiA 6797->6798 6798->6797 6802 25a2419 lstrlenA 6799->6802 6801 25a2491 6801->6756 6803 25a243d lstrlenA 6802->6803 6804 25a2474 6802->6804 6805 25a244e lstrcmpiA 6803->6805 6806 25a2464 lstrlenA 6803->6806 6804->6801 6805->6806 6807 25a245c 6805->6807 6806->6803 6806->6804 6807->6804 6807->6806 6809 25add05 6 API calls 6808->6809 6810 25ae8b4 6809->6810 6811 25add84 lstrcmpiA 6810->6811 6812 25ae8c0 6811->6812 6813 25ae8c8 lstrcpynA 6812->6813 6823 25ae90a 6812->6823 6815 25ae8f5 6813->6815 6814 25a2419 4 API calls 6816 25ae926 lstrlenA lstrlenA 6814->6816 6829 25adf4c 6815->6829 6818 25ae96a 6816->6818 6819 25ae94c lstrlenA 6816->6819 6822 25aebcc 3 API calls 6818->6822 6824 25aea27 6818->6824 6819->6818 6820 25ae901 6821 25add84 lstrcmpiA 6820->6821 6821->6823 6825 25ae98f 6822->6825 6823->6814 6823->6824 6824->6760 6825->6824 6826 25adf4c 18 API calls 6825->6826 6827 25aea1e 6826->6827 6828 25aec2e codecvt 4 API calls 6827->6828 6828->6824 6830 25add05 6 API calls 6829->6830 6831 25adf51 6830->6831 6832 25af04e 4 API calls 6831->6832 6833 25adf58 6832->6833 6834 25ade24 8 API calls 6833->6834 6835 25adf63 6834->6835 6835->6820 6837 25a1ae2 GetProcAddress 6836->6837 6843 25a1b68 GetComputerNameA GetVolumeInformationA 6836->6843 6840 25a1af5 6837->6840 6837->6843 6838 25a1b1c GetAdaptersAddresses 6838->6840 6841 25a1b29 6838->6841 6839 25aebed 6 API calls 6839->6840 6840->6838 6840->6839 6840->6841 6841->6841 6842 25aec2e codecvt 4 API calls 6841->6842 6841->6843 6842->6843 6843->6777 6845 25a6ec3 2 API calls 6844->6845 6846 25a7ef4 6845->6846 6856 25a7fc9 6846->6856 6880 25a73ff 6846->6880 6848 25a7f16 6848->6856 6900 25a7809 GetUserNameA 6848->6900 6850 25a7f63 6850->6856 6924 25aef1e lstrlenA 6850->6924 6853 25aef1e lstrlenA 6854 25a7fb7 6853->6854 6926 25a7a95 RegOpenKeyExA 6854->6926 6856->6344 6858 25a7073 6857->6858 6859 25a70b9 RegOpenKeyExA 6858->6859 6860 25a70d0 6859->6860 6874 25a71b8 6859->6874 6861 25a6dc2 6 API calls 6860->6861 6864 25a70d5 6861->6864 6862 25a719b RegEnumValueA 6863 25a71af RegCloseKey 6862->6863 6862->6864 6863->6874 6864->6862 6866 25a71d0 6864->6866 6957 25af1a5 lstrlenA 6864->6957 6867 25a7205 RegCloseKey 6866->6867 6868 25a7227 6866->6868 6867->6874 6869 25a72b8 ___ascii_stricmp 6868->6869 6870 25a728e RegCloseKey 6868->6870 6871 25a72cd RegCloseKey 6869->6871 6872 25a72dd 6869->6872 6870->6874 6871->6874 6873 25a7311 RegCloseKey 6872->6873 6875 25a7335 6872->6875 6873->6874 6874->6345 6876 25a73d5 RegCloseKey 6875->6876 6878 25a737e GetFileAttributesExA 6875->6878 6879 25a7397 6875->6879 6877 25a73e4 6876->6877 6878->6879 6879->6876 6881 25a741b 6880->6881 6882 25a6dc2 6 API calls 6881->6882 6883 25a743f 6882->6883 6884 25a7469 RegOpenKeyExA 6883->6884 6886 25a77f9 6884->6886 6896 25a7487 ___ascii_stricmp 6884->6896 6885 25a7703 RegEnumKeyA 6887 25a7714 RegCloseKey 6885->6887 6885->6896 6886->6848 6887->6886 6888 25af1a5 lstrlenA 6888->6896 6889 25a74d2 RegOpenKeyExA 6889->6896 6890 25a772c 6892 25a774b 6890->6892 6893 25a7742 RegCloseKey 6890->6893 6891 25a7521 RegQueryValueExA 6891->6896 6895 25a77ec RegCloseKey 6892->6895 6893->6892 6894 25a76e4 RegCloseKey 6894->6896 6895->6886 6896->6885 6896->6888 6896->6889 6896->6890 6896->6891 6896->6894 6897 25a7769 6896->6897 6899 25a777e GetFileAttributesExA 6896->6899 6898 25a77e3 RegCloseKey 6897->6898 6898->6895 6899->6897 6901 25a783d LookupAccountNameA 6900->6901 6907 25a7a8d 6900->6907 6902 25a7874 GetLengthSid GetFileSecurityA 6901->6902 6901->6907 6903 25a78a8 GetSecurityDescriptorOwner 6902->6903 6902->6907 6904 25a791d GetSecurityDescriptorDacl 6903->6904 6905 25a78c5 EqualSid 6903->6905 6904->6907 6918 25a7941 6904->6918 6905->6904 6906 25a78dc LocalAlloc 6905->6906 6906->6904 6908 25a78ef InitializeSecurityDescriptor 6906->6908 6907->6850 6910 25a78fb SetSecurityDescriptorOwner 6908->6910 6911 25a7916 LocalFree 6908->6911 6909 25a795b GetAce 6909->6918 6910->6911 6912 25a790b SetFileSecurityA 6910->6912 6911->6904 6912->6911 6913 25a7980 EqualSid 6913->6918 6914 25a7a3d 6914->6907 6917 25a7a43 LocalAlloc 6914->6917 6915 25a79be EqualSid 6915->6918 6916 25a799d DeleteAce 6916->6918 6917->6907 6919 25a7a56 InitializeSecurityDescriptor 6917->6919 6918->6907 6918->6909 6918->6913 6918->6914 6918->6915 6918->6916 6920 25a7a62 SetSecurityDescriptorDacl 6919->6920 6921 25a7a86 LocalFree 6919->6921 6920->6921 6922 25a7a73 SetFileSecurityA 6920->6922 6921->6907 6922->6921 6923 25a7a83 6922->6923 6923->6921 6925 25a7fa6 6924->6925 6925->6853 6927 25a7acb GetUserNameA 6926->6927 6928 25a7ac4 6926->6928 6929 25a7aed LookupAccountNameA 6927->6929 6930 25a7da7 RegCloseKey 6927->6930 6928->6856 6929->6930 6931 25a7b24 RegGetKeySecurity 6929->6931 6930->6928 6931->6930 6932 25a7b49 GetSecurityDescriptorOwner 6931->6932 6933 25a7bb8 GetSecurityDescriptorDacl 6932->6933 6934 25a7b63 EqualSid 6932->6934 6936 25a7da6 6933->6936 6949 25a7bdc 6933->6949 6934->6933 6935 25a7b74 LocalAlloc 6934->6935 6935->6933 6937 25a7b8a InitializeSecurityDescriptor 6935->6937 6936->6930 6939 25a7bb1 LocalFree 6937->6939 6940 25a7b96 SetSecurityDescriptorOwner 6937->6940 6938 25a7bf8 GetAce 6938->6949 6939->6933 6940->6939 6941 25a7ba6 RegSetKeySecurity 6940->6941 6941->6939 6942 25a7c1d EqualSid 6942->6949 6943 25a7cd9 6943->6936 6946 25a7d5a LocalAlloc 6943->6946 6947 25a7cf2 RegOpenKeyExA 6943->6947 6944 25a7c5f EqualSid 6944->6949 6945 25a7c3a DeleteAce 6945->6949 6946->6936 6948 25a7d70 InitializeSecurityDescriptor 6946->6948 6947->6946 6954 25a7d0f 6947->6954 6950 25a7d9f LocalFree 6948->6950 6951 25a7d7c SetSecurityDescriptorDacl 6948->6951 6949->6936 6949->6938 6949->6942 6949->6943 6949->6944 6949->6945 6950->6936 6951->6950 6952 25a7d8c RegSetKeySecurity 6951->6952 6952->6950 6953 25a7d9c 6952->6953 6953->6950 6955 25a7d43 RegSetValueExA 6954->6955 6955->6946 6956 25a7d54 6955->6956 6956->6946 6958 25af1c3 6957->6958 6958->6864 6959->6364 6961 25add05 6 API calls 6960->6961 6964 25ae65f 6961->6964 6962 25ae6a5 6963 25aebcc 3 API calls 6962->6963 6968 25ae6f5 6962->6968 6966 25ae6b0 6963->6966 6964->6962 6965 25ae68c lstrcmpA 6964->6965 6965->6964 6967 25ae6e0 lstrcpynA 6966->6967 6966->6968 6970 25ae6b7 6966->6970 6967->6968 6969 25ae71d lstrcmpA 6968->6969 6968->6970 6969->6968 6970->6366 6971->6372 6973 25a268e 6972->6973 6974 25a2692 inet_addr 6972->6974 6976 25af428 6973->6976 6974->6973 6975 25a269e gethostbyname 6974->6975 6975->6973 7124 25af315 6976->7124 6979 25af43e 6980 25af473 recv 6979->6980 6981 25af458 6980->6981 6982 25af47c 6980->6982 6981->6980 6981->6982 6982->6403 6984 25ac532 6983->6984 6985 25ac525 6983->6985 6986 25ac548 6984->6986 7137 25ae7ff 6984->7137 6985->6984 6987 25aec2e codecvt 4 API calls 6985->6987 6989 25ae7ff lstrcmpiA 6986->6989 6998 25ac54f 6986->6998 6987->6984 6990 25ac615 6989->6990 6991 25aebcc 3 API calls 6990->6991 6990->6998 6991->6998 6992 25ac5d1 6994 25aebcc 3 API calls 6992->6994 6994->6998 6995 25ae819 11 API calls 6996 25ac5b7 6995->6996 6997 25af04e 4 API calls 6996->6997 6999 25ac5bf 6997->6999 6998->6385 6999->6986 6999->6992 7002 25ac8d2 7000->7002 7001 25ac907 7001->6387 7002->7001 7003 25ac517 22 API calls 7002->7003 7003->7001 7005 25ac67d 7004->7005 7006 25ac670 7004->7006 7008 25aebcc 3 API calls 7005->7008 7010 25ac699 7005->7010 7007 25aebcc 3 API calls 7006->7007 7007->7005 7008->7010 7009 25ac6f3 7009->6416 7009->6481 7010->7009 7011 25ac73c send 7010->7011 7011->7009 7013 25ac77d 7012->7013 7014 25ac770 7012->7014 7016 25ac799 7013->7016 7017 25aebcc 3 API calls 7013->7017 7015 25aebcc 3 API calls 7014->7015 7015->7013 7018 25ac7b5 7016->7018 7019 25aebcc 3 API calls 7016->7019 7017->7016 7020 25af43e recv 7018->7020 7019->7018 7021 25ac7cb 7020->7021 7022 25af43e recv 7021->7022 7023 25ac7d3 7021->7023 7022->7023 7023->6481 7140 25a7db7 7024->7140 7027 25a7e70 7029 25a7e96 7027->7029 7031 25af04e 4 API calls 7027->7031 7028 25af04e 4 API calls 7030 25a7e4c 7028->7030 7029->6481 7030->7027 7032 25af04e 4 API calls 7030->7032 7031->7029 7032->7027 7034 25a6ec3 2 API calls 7033->7034 7035 25a7fdd 7034->7035 7036 25a73ff 17 API calls 7035->7036 7037 25a80c2 CreateProcessA 7035->7037 7038 25a7fff 7036->7038 7037->6469 7037->6470 7038->7037 7039 25a7809 21 API calls 7038->7039 7040 25a804d 7039->7040 7040->7037 7041 25aef1e lstrlenA 7040->7041 7042 25a809e 7041->7042 7043 25aef1e lstrlenA 7042->7043 7044 25a80af 7043->7044 7045 25a7a95 24 API calls 7044->7045 7045->7037 7047 25a7db7 2 API calls 7046->7047 7048 25a7eb8 7047->7048 7049 25af04e 4 API calls 7048->7049 7050 25a7ece DeleteFileA 7049->7050 7050->6481 7052 25add05 6 API calls 7051->7052 7053 25ae31d 7052->7053 7144 25ae177 7053->7144 7055 25ae326 7055->6442 7057 25a31ec 7056->7057 7058 25a31f3 7056->7058 7057->6481 7059 25aebcc 3 API calls 7058->7059 7072 25a31fc 7059->7072 7060 25a3459 7062 25af04e 4 API calls 7060->7062 7061 25a349d 7063 25aec2e codecvt 4 API calls 7061->7063 7064 25a345f 7062->7064 7063->7057 7065 25a30fa 4 API calls 7064->7065 7065->7057 7066 25aebcc GetProcessHeap HeapSize GetProcessHeap 7066->7072 7067 25a344d 7068 25aec2e codecvt 4 API calls 7067->7068 7069 25a344b 7068->7069 7069->7060 7069->7061 7071 25a3141 lstrcmpiA 7071->7072 7072->7057 7072->7066 7072->7067 7072->7069 7072->7071 7170 25a30fa GetTickCount 7072->7170 7074 25a30fa 4 API calls 7073->7074 7075 25a3c1a 7074->7075 7076 25a3ce6 7075->7076 7175 25a3a72 7075->7175 7076->6481 7079 25a3a72 9 API calls 7081 25a3c5e 7079->7081 7080 25a3a72 9 API calls 7080->7081 7081->7076 7081->7080 7082 25aec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7081->7082 7082->7081 7084 25a3a10 7083->7084 7085 25a30fa 4 API calls 7084->7085 7086 25a3a1a 7085->7086 7086->6481 7088 25add05 6 API calls 7087->7088 7089 25ae7be 7088->7089 7089->6481 7091 25ac07e wsprintfA 7090->7091 7095 25ac105 7090->7095 7184 25abfce GetTickCount wsprintfA 7091->7184 7093 25ac0ef 7185 25abfce GetTickCount wsprintfA 7093->7185 7095->6481 7097 25a6f88 LookupAccountNameA 7096->7097 7098 25a7047 7096->7098 7100 25a6fcb 7097->7100 7101 25a7025 7097->7101 7098->6481 7103 25a6fdb ConvertSidToStringSidA 7100->7103 7186 25a6edd 7101->7186 7103->7101 7105 25a6ff1 7103->7105 7106 25a7013 LocalFree 7105->7106 7106->7101 7108 25add05 6 API calls 7107->7108 7109 25ae85c 7108->7109 7110 25add84 lstrcmpiA 7109->7110 7111 25ae867 7110->7111 7112 25ae885 lstrcpyA 7111->7112 7197 25a24a5 7111->7197 7200 25add69 7112->7200 7118 25a7db7 2 API calls 7117->7118 7119 25a7de1 7118->7119 7120 25a7e16 7119->7120 7121 25af04e 4 API calls 7119->7121 7120->6481 7122 25a7df2 7121->7122 7122->7120 7123 25af04e 4 API calls 7122->7123 7123->7120 7125 25af33b 7124->7125 7126 25aca1d 7124->7126 7127 25af347 htons socket 7125->7127 7126->6400 7126->6979 7128 25af382 ioctlsocket 7127->7128 7129 25af374 closesocket 7127->7129 7130 25af3aa connect select 7128->7130 7131 25af39d 7128->7131 7129->7126 7130->7126 7133 25af3f2 __WSAFDIsSet 7130->7133 7132 25af39f closesocket 7131->7132 7132->7126 7133->7132 7134 25af403 ioctlsocket 7133->7134 7136 25af26d setsockopt setsockopt setsockopt setsockopt setsockopt 7134->7136 7136->7126 7138 25add84 lstrcmpiA 7137->7138 7139 25ac58e 7138->7139 7139->6986 7139->6992 7139->6995 7141 25a7dc8 InterlockedExchange 7140->7141 7142 25a7dc0 Sleep 7141->7142 7143 25a7dd4 7141->7143 7142->7141 7143->7027 7143->7028 7145 25ae184 7144->7145 7146 25ae2e4 7145->7146 7147 25ae223 7145->7147 7160 25adfe2 7145->7160 7146->7055 7147->7146 7149 25adfe2 6 API calls 7147->7149 7153 25ae23c 7149->7153 7150 25ae1be 7150->7147 7151 25adbcf 3 API calls 7150->7151 7154 25ae1d6 7151->7154 7152 25ae21a CloseHandle 7152->7147 7153->7146 7164 25ae095 RegCreateKeyExA 7153->7164 7154->7147 7154->7152 7155 25ae1f9 WriteFile 7154->7155 7155->7152 7157 25ae213 7155->7157 7157->7152 7158 25ae2a3 7158->7146 7159 25ae095 4 API calls 7158->7159 7159->7146 7161 25adffc 7160->7161 7163 25ae024 7160->7163 7162 25adb2e 6 API calls 7161->7162 7161->7163 7162->7163 7163->7150 7165 25ae172 7164->7165 7169 25ae0c0 7164->7169 7165->7158 7166 25ae13d 7167 25ae14e RegDeleteValueA RegCloseKey 7166->7167 7167->7165 7168 25ae115 RegSetValueExA 7168->7166 7168->7169 7169->7166 7169->7168 7171 25a3122 InterlockedExchange 7170->7171 7172 25a312e 7171->7172 7173 25a310f GetTickCount 7171->7173 7172->7072 7173->7172 7174 25a311a Sleep 7173->7174 7174->7171 7176 25af04e 4 API calls 7175->7176 7177 25a3a83 7176->7177 7179 25a3bc0 7177->7179 7180 25a3ac1 7177->7180 7183 25a3b66 lstrlenA 7177->7183 7178 25a3be6 7181 25aec2e codecvt 4 API calls 7178->7181 7179->7178 7182 25aec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7179->7182 7180->7076 7180->7079 7181->7180 7182->7179 7183->7177 7183->7180 7184->7093 7185->7095 7187 25a6eef AllocateAndInitializeSid 7186->7187 7188 25a6f55 wsprintfA 7186->7188 7189 25a6f1c CheckTokenMembership 7187->7189 7190 25a6f44 7187->7190 7188->7098 7191 25a6f3b FreeSid 7189->7191 7192 25a6f2e 7189->7192 7190->7188 7194 25a6e36 GetUserNameW 7190->7194 7191->7190 7192->7191 7195 25a6e97 7194->7195 7196 25a6e5f LookupAccountNameW 7194->7196 7195->7188 7196->7195 7198 25a2419 4 API calls 7197->7198 7199 25a24b6 7198->7199 7199->7112 7201 25add79 lstrlenA 7200->7201 7201->6481 7203 25aeb21 7202->7203 7204 25aeb17 7202->7204 7203->6527 7205 25aeae4 2 API calls 7204->7205 7205->7203 7208 25a69b9 WriteFile 7206->7208 7210 25a6a3c 7208->7210 7211 25a69ff 7208->7211 7209 25a6a10 WriteFile 7209->7210 7209->7211 7210->6522 7210->6523 7211->7209 7211->7210 7213 25a3edc 7212->7213 7215 25a3ee2 7212->7215 7214 25a6dc2 6 API calls 7213->7214 7214->7215 7215->6538 7217 25a400b CreateFileA 7216->7217 7218 25a402c GetLastError 7217->7218 7219 25a4052 7217->7219 7218->7219 7220 25a4037 7218->7220 7219->6541 7220->7219 7221 25a4041 Sleep 7220->7221 7221->7217 7221->7219 7223 25a3f4e GetLastError 7222->7223 7224 25a3f7c 7222->7224 7223->7224 7225 25a3f5b WaitForSingleObject GetOverlappedResult 7223->7225 7226 25a3f8c ReadFile 7224->7226 7225->7224 7227 25a3fc2 GetLastError 7226->7227 7228 25a3ff0 7226->7228 7227->7228 7229 25a3fcf WaitForSingleObject GetOverlappedResult 7227->7229 7228->6546 7228->6547 7229->7228 7231 25a1924 GetVersionExA 7230->7231 7231->6586 7233 25af0ed 7232->7233 7234 25af0f1 7232->7234 7233->6618 7235 25af0fa lstrlenA SysAllocStringByteLen 7234->7235 7236 25af119 7234->7236 7237 25af11c MultiByteToWideChar 7235->7237 7238 25af117 7235->7238 7236->7237 7237->7238 7238->6618 7240 25a1820 17 API calls 7239->7240 7241 25a18f2 7240->7241 7242 25a18f9 7241->7242 7256 25a1280 7241->7256 7242->6612 7244 25a1908 7244->6612 7268 25a1000 7245->7268 7247 25a1839 7248 25a183d 7247->7248 7249 25a1851 GetCurrentProcess 7247->7249 7248->6603 7250 25a1864 7249->7250 7250->6603 7252 25a920e 7251->7252 7255 25a9308 7251->7255 7252->7252 7253 25a92f1 Sleep 7252->7253 7254 25a92bf ShellExecuteA 7252->7254 7252->7255 7253->7252 7254->7252 7254->7255 7255->6612 7257 25a12e1 7256->7257 7258 25a16f9 GetLastError 7257->7258 7266 25a13a8 7257->7266 7259 25a1699 7258->7259 7259->7244 7260 25a1570 lstrlenW 7260->7266 7261 25a15be GetStartupInfoW 7261->7266 7262 25a15ff CreateProcessWithLogonW 7263 25a16bf GetLastError 7262->7263 7264 25a163f WaitForSingleObject 7262->7264 7263->7259 7265 25a1659 CloseHandle 7264->7265 7264->7266 7265->7266 7266->7259 7266->7260 7266->7261 7266->7262 7267 25a1668 CloseHandle 7266->7267 7267->7266 7269 25a100d LoadLibraryA 7268->7269 7280 25a1023 7268->7280 7270 25a1021 7269->7270 7269->7280 7270->7247 7271 25a10b5 GetProcAddress 7272 25a127b 7271->7272 7273 25a10d1 GetProcAddress 7271->7273 7272->7247 7273->7272 7274 25a10f0 GetProcAddress 7273->7274 7274->7272 7275 25a1110 GetProcAddress 7274->7275 7275->7272 7276 25a1130 GetProcAddress 7275->7276 7276->7272 7277 25a114f GetProcAddress 7276->7277 7277->7272 7278 25a116f GetProcAddress 7277->7278 7278->7272 7279 25a118f GetProcAddress 7278->7279 7279->7272 7281 25a11ae GetProcAddress 7279->7281 7280->7271 7288 25a10ae 7280->7288 7281->7272 7282 25a11ce GetProcAddress 7281->7282 7282->7272 7283 25a11ee GetProcAddress 7282->7283 7283->7272 7284 25a1209 GetProcAddress 7283->7284 7284->7272 7285 25a1225 GetProcAddress 7284->7285 7285->7272 7286 25a1241 GetProcAddress 7285->7286 7286->7272 7287 25a125c GetProcAddress 7286->7287 7287->7272 7288->7247 7290 25a908d 7289->7290 7291 25a90e2 wsprintfA 7290->7291 7292 25aee2a 7291->7292 7293 25a90fd CreateFileA 7292->7293 7294 25a911a lstrlenA WriteFile CloseHandle 7293->7294 7295 25a913f 7293->7295 7294->7295 7295->6641 7295->6642 7297 25aee2a 7296->7297 7298 25a9794 CreateProcessA 7297->7298 7299 25a97bb 7298->7299 7300 25a97c2 7298->7300 7299->6652 7301 25a97d4 GetThreadContext 7300->7301 7302 25a9801 7301->7302 7303 25a97f5 7301->7303 7310 25a637c 7302->7310 7304 25a97f6 TerminateProcess 7303->7304 7304->7299 7306 25a9816 7306->7304 7307 25a981e WriteProcessMemory 7306->7307 7307->7303 7308 25a983b SetThreadContext 7307->7308 7308->7303 7309 25a9858 ResumeThread 7308->7309 7309->7299 7311 25a638a GetModuleHandleA VirtualAlloc 7310->7311 7312 25a6386 7310->7312 7313 25a63b6 7311->7313 7314 25a63f5 7311->7314 7312->7306 7315 25a63be VirtualAllocEx 7313->7315 7314->7306 7315->7314 7316 25a63d6 7315->7316 7317 25a63df WriteProcessMemory 7316->7317 7317->7314 7319 25a8791 7318->7319 7320 25a879f 7318->7320 7321 25af04e 4 API calls 7319->7321 7322 25a87bc 7320->7322 7323 25af04e 4 API calls 7320->7323 7321->7320 7324 25ae819 11 API calls 7322->7324 7323->7322 7325 25a87d7 7324->7325 7334 25a8803 7325->7334 7473 25a26b2 gethostbyaddr 7325->7473 7328 25a87eb 7330 25ae8a1 28 API calls 7328->7330 7328->7334 7330->7334 7333 25ae819 11 API calls 7333->7334 7334->7333 7335 25a88a0 Sleep 7334->7335 7336 25af04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7334->7336 7338 25a26b2 2 API calls 7334->7338 7339 25ae8a1 28 API calls 7334->7339 7370 25a8cee 7334->7370 7378 25ac4d6 7334->7378 7381 25ac4e2 7334->7381 7384 25a2011 7334->7384 7419 25a8328 7334->7419 7335->7334 7336->7334 7338->7334 7339->7334 7341 25a407d 7340->7341 7342 25a4084 7340->7342 7343 25a3ecd 6 API calls 7342->7343 7344 25a408f 7343->7344 7345 25a4000 3 API calls 7344->7345 7346 25a4095 7345->7346 7347 25a4130 7346->7347 7348 25a40c0 7346->7348 7349 25a3ecd 6 API calls 7347->7349 7353 25a3f18 4 API calls 7348->7353 7350 25a4159 CreateNamedPipeA 7349->7350 7351 25a4188 ConnectNamedPipe 7350->7351 7352 25a4167 Sleep 7350->7352 7355 25a4195 GetLastError 7351->7355 7364 25a41ab 7351->7364 7352->7347 7356 25a4176 CloseHandle 7352->7356 7354 25a40da 7353->7354 7357 25a3f8c 4 API calls 7354->7357 7358 25a425e DisconnectNamedPipe 7355->7358 7355->7364 7356->7351 7359 25a40ec 7357->7359 7358->7351 7360 25a4127 CloseHandle 7359->7360 7361 25a4101 7359->7361 7360->7347 7362 25a3f18 4 API calls 7361->7362 7363 25a411c ExitProcess 7362->7363 7364->7351 7364->7358 7365 25a3f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7364->7365 7366 25a3f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7364->7366 7367 25a426a CloseHandle CloseHandle 7364->7367 7365->7364 7366->7364 7368 25ae318 21 API calls 7367->7368 7369 25a427b 7368->7369 7369->7369 7371 25a8dae 7370->7371 7372 25a8d02 GetTickCount 7370->7372 7371->7334 7372->7371 7375 25a8d19 7372->7375 7373 25a8da1 GetTickCount 7373->7371 7375->7373 7377 25a8d89 7375->7377 7478 25aa677 7375->7478 7481 25aa688 7375->7481 7377->7373 7489 25ac2dc 7378->7489 7382 25ac2dc 139 API calls 7381->7382 7383 25ac4ec 7382->7383 7383->7334 7385 25a2020 7384->7385 7386 25a202e 7384->7386 7388 25af04e 4 API calls 7385->7388 7387 25a204b 7386->7387 7389 25af04e 4 API calls 7386->7389 7390 25a206e GetTickCount 7387->7390 7391 25af04e 4 API calls 7387->7391 7388->7386 7389->7387 7392 25a20db GetTickCount 7390->7392 7402 25a2090 7390->7402 7395 25a2068 7391->7395 7393 25a2132 GetTickCount GetTickCount 7392->7393 7394 25a20e7 7392->7394 7397 25af04e 4 API calls 7393->7397 7398 25a212b GetTickCount 7394->7398 7409 25a1978 15 API calls 7394->7409 7415 25a2125 7394->7415 7818 25a2ef8 7394->7818 7395->7390 7396 25a20d4 GetTickCount 7396->7392 7399 25a2159 7397->7399 7398->7393 7404 25ae854 13 API calls 7399->7404 7414 25a21b4 7399->7414 7400 25a2684 2 API calls 7400->7402 7402->7396 7402->7400 7410 25a20ce 7402->7410 7828 25a1978 7402->7828 7403 25af04e 4 API calls 7406 25a21d1 7403->7406 7407 25a218e 7404->7407 7411 25aea84 28 API calls 7406->7411 7417 25a21f2 7406->7417 7408 25ae819 11 API calls 7407->7408 7412 25a219c 7408->7412 7409->7394 7410->7396 7413 25a21ec 7411->7413 7412->7414 7833 25a1c5f 7412->7833 7416 25af04e 4 API calls 7413->7416 7414->7403 7415->7398 7416->7417 7417->7334 7420 25a7dd6 6 API calls 7419->7420 7421 25a833c 7420->7421 7422 25a8340 7421->7422 7423 25a6ec3 2 API calls 7421->7423 7422->7334 7424 25a834f 7423->7424 7425 25a835c 7424->7425 7428 25a846b 7424->7428 7426 25a73ff 17 API calls 7425->7426 7442 25a8373 7426->7442 7427 25a675c 20 API calls 7443 25a85df 7427->7443 7430 25a84a7 RegOpenKeyExA 7428->7430 7458 25a8450 7428->7458 7429 25a8626 GetTempPathA 7441 25a8638 7429->7441 7432 25a852f 7430->7432 7433 25a84c0 RegQueryValueExA 7430->7433 7440 25a8564 RegOpenKeyExA 7432->7440 7450 25a85a5 7432->7450 7435 25a84dd 7433->7435 7436 25a8521 RegCloseKey 7433->7436 7434 25a86ad 7437 25a8762 7434->7437 7438 25a7e2f 6 API calls 7434->7438 7435->7436 7447 25aebcc 3 API calls 7435->7447 7436->7432 7439 25a8768 7437->7439 7451 25a86bb 7438->7451 7439->7422 7446 25aec2e codecvt 4 API calls 7439->7446 7444 25a8573 RegSetValueExA RegCloseKey 7440->7444 7440->7450 7464 25a8671 7441->7464 7442->7422 7452 25a83ea RegOpenKeyExA 7442->7452 7442->7458 7443->7429 7443->7439 7443->7464 7444->7450 7445 25a875b DeleteFileA 7445->7437 7446->7422 7449 25a84f0 7447->7449 7449->7436 7453 25a84f8 RegQueryValueExA 7449->7453 7455 25aec2e codecvt 4 API calls 7450->7455 7450->7458 7451->7445 7459 25a86e0 lstrcpyA lstrlenA 7451->7459 7456 25a83fd RegQueryValueExA 7452->7456 7452->7458 7453->7436 7454 25a8515 7453->7454 7457 25aec2e codecvt 4 API calls 7454->7457 7455->7458 7460 25a841e 7456->7460 7461 25a842d RegSetValueExA 7456->7461 7462 25a851d 7457->7462 7458->7427 7458->7443 7463 25a7fcf 64 API calls 7459->7463 7460->7461 7465 25a8447 RegCloseKey 7460->7465 7461->7465 7462->7436 7466 25a8719 CreateProcessA 7463->7466 7906 25a6ba7 IsBadCodePtr 7464->7906 7465->7458 7467 25a874f 7466->7467 7468 25a873d CloseHandle CloseHandle 7466->7468 7469 25a7ee6 64 API calls 7467->7469 7468->7439 7470 25a8754 7469->7470 7471 25a7ead 6 API calls 7470->7471 7472 25a875a 7471->7472 7472->7445 7474 25a26fb 7473->7474 7475 25a26cd 7473->7475 7474->7328 7476 25a26de 7475->7476 7477 25a26e1 inet_ntoa 7475->7477 7476->7328 7477->7476 7484 25aa63d 7478->7484 7480 25aa685 7480->7375 7482 25aa63d GetTickCount 7481->7482 7483 25aa696 7482->7483 7483->7375 7485 25aa64d 7484->7485 7486 25aa645 7484->7486 7487 25aa65e GetTickCount 7485->7487 7488 25aa66e 7485->7488 7486->7480 7487->7488 7488->7480 7506 25aa4c7 GetTickCount 7489->7506 7492 25ac47a 7497 25ac4ab InterlockedIncrement CreateThread 7492->7497 7498 25ac4d2 7492->7498 7493 25ac300 GetTickCount 7495 25ac337 7493->7495 7494 25ac326 7494->7495 7496 25ac32b GetTickCount 7494->7496 7495->7492 7500 25ac363 GetTickCount 7495->7500 7496->7495 7497->7498 7499 25ac4cb CloseHandle 7497->7499 7511 25ab535 7497->7511 7498->7334 7499->7498 7500->7492 7501 25ac373 7500->7501 7502 25ac378 GetTickCount 7501->7502 7503 25ac37f 7501->7503 7502->7503 7504 25ac43b GetTickCount 7503->7504 7505 25ac45e 7504->7505 7505->7492 7507 25aa4f7 InterlockedExchange 7506->7507 7508 25aa500 7507->7508 7509 25aa4e4 GetTickCount 7507->7509 7508->7492 7508->7493 7508->7494 7509->7508 7510 25aa4ef Sleep 7509->7510 7510->7507 7512 25ab566 7511->7512 7513 25aebcc 3 API calls 7512->7513 7514 25ab587 7513->7514 7515 25aebcc 3 API calls 7514->7515 7566 25ab590 7515->7566 7516 25abdcd InterlockedDecrement 7517 25abde2 7516->7517 7519 25aec2e codecvt 4 API calls 7517->7519 7520 25abdea 7519->7520 7521 25aec2e codecvt 4 API calls 7520->7521 7523 25abdf2 7521->7523 7522 25abdb7 Sleep 7522->7566 7524 25abe05 7523->7524 7526 25aec2e codecvt 4 API calls 7523->7526 7525 25abdcc 7525->7516 7526->7524 7527 25aebed 6 API calls 7527->7566 7530 25ab6b6 lstrlenA 7530->7566 7531 25a30b5 2 API calls 7531->7566 7532 25ab6ed lstrcpyA 7586 25a5ce1 7532->7586 7533 25ae819 11 API calls 7533->7566 7536 25ab71f lstrcmpA 7537 25ab731 lstrlenA 7536->7537 7536->7566 7537->7566 7538 25ab772 GetTickCount 7538->7566 7539 25abd49 InterlockedIncrement 7680 25aa628 7539->7680 7542 25ab7ce InterlockedIncrement 7596 25aacd7 7542->7596 7543 25a38f0 6 API calls 7543->7566 7544 25abc5b InterlockedIncrement 7544->7566 7547 25ab912 GetTickCount 7547->7566 7548 25ab826 InterlockedIncrement 7548->7538 7549 25abcdc closesocket 7549->7566 7550 25ab932 GetTickCount 7551 25abc6d InterlockedIncrement 7550->7551 7550->7566 7551->7566 7553 25abba6 InterlockedIncrement 7553->7566 7555 25aa7c1 22 API calls 7555->7566 7557 25abc4c closesocket 7557->7566 7559 25aba71 wsprintfA 7614 25aa7c1 7559->7614 7560 25a5ded 10 API calls 7560->7566 7561 25aab81 lstrcpynA InterlockedIncrement 7561->7566 7563 25a5ce1 20 API calls 7563->7566 7565 25aef1e lstrlenA 7565->7566 7566->7516 7566->7522 7566->7525 7566->7527 7566->7530 7566->7531 7566->7532 7566->7533 7566->7536 7566->7537 7566->7538 7566->7539 7566->7542 7566->7543 7566->7544 7566->7547 7566->7548 7566->7549 7566->7550 7566->7553 7566->7555 7566->7557 7566->7559 7566->7560 7566->7561 7566->7563 7566->7565 7567 25aa688 GetTickCount 7566->7567 7568 25a3e10 7566->7568 7571 25a3e4f 7566->7571 7574 25a384f 7566->7574 7594 25aa7a3 inet_ntoa 7566->7594 7601 25aabee 7566->7601 7613 25a1feb GetTickCount 7566->7613 7634 25a3cfb 7566->7634 7637 25ab3c5 7566->7637 7668 25aab81 7566->7668 7567->7566 7569 25a30fa 4 API calls 7568->7569 7570 25a3e1d 7569->7570 7570->7566 7572 25a30fa 4 API calls 7571->7572 7573 25a3e5c 7572->7573 7573->7566 7575 25a30fa 4 API calls 7574->7575 7576 25a3863 7575->7576 7577 25a38b9 7576->7577 7578 25a3889 7576->7578 7585 25a38b2 7576->7585 7689 25a35f9 7577->7689 7683 25a3718 7578->7683 7583 25a3718 6 API calls 7583->7585 7584 25a35f9 6 API calls 7584->7585 7585->7566 7587 25a5cec 7586->7587 7588 25a5cf4 7586->7588 7695 25a4bd1 GetTickCount 7587->7695 7590 25a4bd1 4 API calls 7588->7590 7591 25a5d02 7590->7591 7700 25a5472 7591->7700 7595 25aa7b9 7594->7595 7595->7566 7597 25af315 14 API calls 7596->7597 7598 25aaceb 7597->7598 7599 25aacff 7598->7599 7600 25af315 14 API calls 7598->7600 7599->7566 7600->7599 7602 25aabfb 7601->7602 7605 25aac65 7602->7605 7763 25a2f22 7602->7763 7604 25af315 14 API calls 7604->7605 7605->7604 7606 25aac8a 7605->7606 7607 25aac6f 7605->7607 7606->7566 7609 25aab81 2 API calls 7607->7609 7608 25aac23 7608->7605 7611 25a2684 2 API calls 7608->7611 7610 25aac81 7609->7610 7771 25a38f0 7610->7771 7611->7608 7613->7566 7615 25aa7df 7614->7615 7616 25aa87d lstrlenA send 7614->7616 7615->7616 7622 25aa7fa wsprintfA 7615->7622 7625 25aa80a 7615->7625 7626 25aa8f2 7615->7626 7617 25aa899 7616->7617 7618 25aa8bf 7616->7618 7620 25aa8a5 wsprintfA 7617->7620 7633 25aa89e 7617->7633 7621 25aa8c4 send 7618->7621 7618->7626 7619 25aa978 recv 7619->7626 7627 25aa982 7619->7627 7620->7633 7623 25aa8d8 wsprintfA 7621->7623 7621->7626 7622->7625 7623->7633 7624 25aa9b0 wsprintfA 7624->7633 7625->7616 7626->7619 7626->7624 7626->7627 7628 25a30b5 2 API calls 7627->7628 7627->7633 7629 25aab05 7628->7629 7630 25ae819 11 API calls 7629->7630 7631 25aab17 7630->7631 7632 25aa7a3 inet_ntoa 7631->7632 7632->7633 7633->7566 7635 25a30fa 4 API calls 7634->7635 7636 25a3d0b 7635->7636 7636->7566 7638 25a5ce1 20 API calls 7637->7638 7639 25ab3e6 7638->7639 7640 25a5ce1 20 API calls 7639->7640 7641 25ab404 7640->7641 7642 25aef7c 3 API calls 7641->7642 7648 25ab440 7641->7648 7644 25ab42b 7642->7644 7643 25aef7c 3 API calls 7645 25ab458 wsprintfA 7643->7645 7646 25aef7c 3 API calls 7644->7646 7647 25aef7c 3 API calls 7645->7647 7646->7648 7649 25ab480 7647->7649 7648->7643 7650 25aef7c 3 API calls 7649->7650 7651 25ab493 7650->7651 7652 25aef7c 3 API calls 7651->7652 7653 25ab4bb 7652->7653 7786 25aad89 GetLocalTime SystemTimeToFileTime 7653->7786 7657 25ab4cc 7658 25aef7c 3 API calls 7657->7658 7659 25ab4dd 7658->7659 7660 25ab211 7 API calls 7659->7660 7661 25ab4ec 7660->7661 7662 25aef7c 3 API calls 7661->7662 7663 25ab4fd 7662->7663 7664 25ab211 7 API calls 7663->7664 7665 25ab509 7664->7665 7666 25aef7c 3 API calls 7665->7666 7667 25ab51a 7666->7667 7667->7566 7669 25aabe9 GetTickCount 7668->7669 7671 25aab8c 7668->7671 7673 25aa51d 7669->7673 7670 25aaba8 lstrcpynA 7670->7671 7671->7669 7671->7670 7672 25aabe1 InterlockedIncrement 7671->7672 7672->7671 7674 25aa4c7 4 API calls 7673->7674 7675 25aa52c 7674->7675 7676 25aa542 GetTickCount 7675->7676 7677 25aa539 GetTickCount 7675->7677 7676->7677 7679 25aa56c 7677->7679 7679->7566 7681 25aa4c7 4 API calls 7680->7681 7682 25aa633 7681->7682 7682->7566 7684 25af04e 4 API calls 7683->7684 7686 25a372a 7684->7686 7685 25a3847 7685->7583 7685->7585 7686->7685 7687 25a37b3 GetCurrentThreadId 7686->7687 7687->7686 7688 25a37c8 GetCurrentThreadId 7687->7688 7688->7686 7690 25af04e 4 API calls 7689->7690 7694 25a360c 7690->7694 7691 25a36f1 7691->7584 7691->7585 7692 25a36da GetCurrentThreadId 7692->7691 7693 25a36e5 GetCurrentThreadId 7692->7693 7693->7691 7694->7691 7694->7692 7696 25a4bff InterlockedExchange 7695->7696 7697 25a4c08 7696->7697 7698 25a4bec GetTickCount 7696->7698 7697->7588 7698->7697 7699 25a4bf7 Sleep 7698->7699 7699->7696 7719 25a4763 7700->7719 7702 25a5b58 7729 25a4699 7702->7729 7705 25a4763 lstrlenA 7706 25a5b6e 7705->7706 7750 25a4f9f 7706->7750 7708 25a5b79 7708->7566 7709 25a548a 7709->7702 7710 25a4ae6 6 API calls 7709->7710 7713 25a5472 11 API calls 7709->7713 7715 25a558d lstrcpynA 7709->7715 7716 25a5a9f lstrcpyA 7709->7716 7717 25a5935 lstrcpynA 7709->7717 7718 25a58e7 lstrcpyA 7709->7718 7723 25a4ae6 7709->7723 7727 25aef7c lstrlenA lstrlenA lstrlenA 7709->7727 7710->7709 7712 25a5549 lstrlenA 7712->7709 7713->7709 7715->7709 7716->7709 7717->7709 7718->7709 7720 25a477a 7719->7720 7721 25a4859 7720->7721 7722 25a480d lstrlenA 7720->7722 7721->7709 7722->7720 7724 25a4af3 7723->7724 7726 25a4b03 7723->7726 7725 25aebed 6 API calls 7724->7725 7725->7726 7726->7712 7728 25aefb4 7727->7728 7728->7709 7755 25a45b3 7729->7755 7732 25a45b3 6 API calls 7733 25a46c6 7732->7733 7734 25a45b3 6 API calls 7733->7734 7735 25a46d8 7734->7735 7736 25a45b3 6 API calls 7735->7736 7737 25a46ea 7736->7737 7738 25a45b3 6 API calls 7737->7738 7739 25a46ff 7738->7739 7740 25a45b3 6 API calls 7739->7740 7741 25a4711 7740->7741 7742 25a45b3 6 API calls 7741->7742 7743 25a4723 7742->7743 7744 25aef7c 3 API calls 7743->7744 7745 25a4735 7744->7745 7746 25aef7c 3 API calls 7745->7746 7747 25a474a 7746->7747 7748 25aef7c 3 API calls 7747->7748 7749 25a475c 7748->7749 7749->7705 7751 25a4fac 7750->7751 7754 25a4fb0 7750->7754 7751->7708 7752 25a4ffd 7752->7708 7753 25a4fd5 IsBadCodePtr 7753->7754 7754->7752 7754->7753 7756 25a45c8 7755->7756 7757 25a45c1 7755->7757 7759 25aebcc 3 API calls 7756->7759 7761 25a45e1 7756->7761 7758 25aebcc 3 API calls 7757->7758 7758->7756 7759->7761 7760 25a4691 7760->7732 7761->7760 7762 25aef7c 3 API calls 7761->7762 7762->7761 7778 25a2d21 GetModuleHandleA 7763->7778 7766 25a2fcf GetProcessHeap HeapFree 7770 25a2f44 7766->7770 7767 25a2f85 7767->7766 7767->7767 7768 25a2f4f 7769 25a2f6b GetProcessHeap HeapFree 7768->7769 7769->7770 7770->7608 7772 25a3980 7771->7772 7773 25a3900 7771->7773 7772->7606 7774 25a30fa 4 API calls 7773->7774 7777 25a390a 7774->7777 7775 25a391b GetCurrentThreadId 7775->7777 7776 25a3939 GetCurrentThreadId 7776->7777 7777->7772 7777->7775 7777->7776 7779 25a2d5b GetProcAddress 7778->7779 7780 25a2d46 LoadLibraryA 7778->7780 7781 25a2d6b DnsQuery_A 7779->7781 7783 25a2d54 7779->7783 7780->7779 7780->7783 7781->7783 7784 25a2d7d 7781->7784 7782 25a2d97 GetProcessHeap 7782->7784 7783->7767 7783->7768 7783->7770 7784->7782 7784->7783 7785 25a2db5 lstrcpynA 7784->7785 7785->7784 7787 25aadbf 7786->7787 7811 25aad08 gethostname 7787->7811 7790 25a30b5 2 API calls 7791 25aadd3 7790->7791 7792 25aa7a3 inet_ntoa 7791->7792 7799 25aade4 7791->7799 7792->7799 7793 25aae85 wsprintfA 7794 25aef7c 3 API calls 7793->7794 7796 25aaebb 7794->7796 7795 25aae36 wsprintfA wsprintfA 7797 25aef7c 3 API calls 7795->7797 7798 25aef7c 3 API calls 7796->7798 7797->7799 7800 25aaed2 7798->7800 7799->7793 7799->7795 7801 25ab211 7800->7801 7802 25ab2bb FileTimeToLocalFileTime FileTimeToSystemTime 7801->7802 7803 25ab2af GetLocalTime 7801->7803 7804 25ab2d2 7802->7804 7803->7804 7805 25ab2d9 SystemTimeToFileTime 7804->7805 7806 25ab31c GetTimeZoneInformation 7804->7806 7808 25ab2ec 7805->7808 7807 25ab33a wsprintfA 7806->7807 7807->7657 7809 25ab312 FileTimeToSystemTime 7808->7809 7809->7806 7812 25aad71 7811->7812 7817 25aad26 lstrlenA 7811->7817 7814 25aad79 lstrcpyA 7812->7814 7815 25aad85 7812->7815 7814->7815 7815->7790 7816 25aad68 lstrlenA 7816->7812 7817->7812 7817->7816 7819 25a2d21 6 API calls 7818->7819 7820 25a2f01 7819->7820 7821 25a2f06 7820->7821 7822 25a2f14 7820->7822 7841 25a2df2 GetModuleHandleA 7821->7841 7824 25a2684 2 API calls 7822->7824 7826 25a2f1d 7824->7826 7826->7394 7827 25a2f1f 7827->7394 7829 25af428 14 API calls 7828->7829 7830 25a198a 7829->7830 7831 25a1998 7830->7831 7832 25a1990 closesocket 7830->7832 7831->7402 7832->7831 7840 25a1c80 7833->7840 7834 25a1cc2 wsprintfA 7835 25a2684 2 API calls 7834->7835 7835->7840 7836 25a1d1c 7837 25a1d47 wsprintfA 7836->7837 7838 25a2684 2 API calls 7837->7838 7839 25a1d79 7838->7839 7839->7414 7840->7834 7840->7836 7840->7839 7842 25a2e0b 7841->7842 7843 25a2e10 LoadLibraryA 7841->7843 7842->7843 7844 25a2e17 7842->7844 7843->7844 7845 25a2ef1 7844->7845 7846 25a2e28 GetProcAddress 7844->7846 7845->7822 7845->7827 7846->7845 7847 25a2e3e GetProcessHeap 7846->7847 7851 25a2e55 7847->7851 7848 25a2ede GetProcessHeap HeapFree 7848->7845 7849 25a2e7f htons inet_addr 7850 25a2ea5 gethostbyname 7849->7850 7849->7851 7850->7851 7851->7845 7851->7848 7851->7849 7851->7850 7853 25a2ceb 7851->7853 7854 25a2cf2 7853->7854 7856 25a2d1c 7854->7856 7857 25a2d0e Sleep 7854->7857 7858 25a2a62 GetProcessHeap 7854->7858 7856->7851 7857->7854 7857->7856 7859 25a2a8c 7858->7859 7860 25a2a99 socket 7859->7860 7861 25a2a92 7859->7861 7862 25a2cd3 GetProcessHeap HeapFree 7860->7862 7863 25a2ab4 7860->7863 7861->7854 7862->7861 7863->7862 7867 25a2abd 7863->7867 7864 25a2adb htons 7879 25a26ff 7864->7879 7866 25a2b04 select 7866->7867 7867->7864 7867->7866 7868 25a2ca4 7867->7868 7869 25a2cb3 GetProcessHeap HeapFree closesocket 7867->7869 7870 25a2b3f recv 7867->7870 7871 25a2b66 htons 7867->7871 7872 25a2b87 htons 7867->7872 7875 25a2bf3 GetProcessHeap 7867->7875 7876 25a2c17 htons 7867->7876 7878 25a2c4d GetProcessHeap HeapFree 7867->7878 7886 25a2923 7867->7886 7898 25a2904 7867->7898 7868->7869 7869->7861 7870->7867 7871->7867 7871->7868 7872->7867 7872->7868 7875->7867 7894 25a2871 7876->7894 7878->7867 7880 25a271d 7879->7880 7881 25a2717 7879->7881 7883 25a272b GetTickCount htons 7880->7883 7882 25aebcc 3 API calls 7881->7882 7882->7880 7884 25a27cc htons htons sendto 7883->7884 7885 25a278a 7883->7885 7884->7867 7885->7884 7887 25a2944 7886->7887 7889 25a293d 7886->7889 7902 25a2816 htons 7887->7902 7889->7867 7890 25a2950 7890->7889 7891 25a2871 htons 7890->7891 7892 25a29bd htons htons htons 7890->7892 7891->7890 7892->7889 7893 25a29f6 GetProcessHeap 7892->7893 7893->7890 7895 25a28e3 7894->7895 7896 25a2889 7894->7896 7895->7867 7896->7895 7896->7896 7897 25a28c3 htons 7896->7897 7897->7895 7897->7896 7899 25a2908 7898->7899 7900 25a2921 7898->7900 7901 25a2909 GetProcessHeap HeapFree 7899->7901 7900->7867 7901->7900 7901->7901 7903 25a286b 7902->7903 7904 25a2836 7902->7904 7903->7890 7904->7903 7905 25a285c htons 7904->7905 7905->7903 7905->7904 7907 25a6bbc 7906->7907 7908 25a6bc0 7906->7908 7907->7434 7909 25aebcc 3 API calls 7908->7909 7919 25a6bd4 7908->7919 7910 25a6be4 7909->7910 7911 25a6bfc 7910->7911 7912 25a6c07 CreateFileA 7910->7912 7910->7919 7913 25aec2e codecvt 4 API calls 7911->7913 7914 25a6c2a 7912->7914 7915 25a6c34 WriteFile 7912->7915 7913->7919 7916 25aec2e codecvt 4 API calls 7914->7916 7917 25a6c5a CloseHandle 7915->7917 7918 25a6c49 CloseHandle DeleteFileA 7915->7918 7916->7919 7920 25aec2e codecvt 4 API calls 7917->7920 7918->7914 7919->7434 7920->7919 8222 25a5029 8227 25a4a02 8222->8227 8228 25a4a12 8227->8228 8230 25a4a18 8227->8230 8229 25aec2e codecvt 4 API calls 8228->8229 8229->8230 8231 25aec2e codecvt 4 API calls 8230->8231 8232 25a4a26 8230->8232 8231->8232 8233 25a4a34 8232->8233 8234 25aec2e codecvt 4 API calls 8232->8234 8234->8233 8049 25a4960 8050 25a496d 8049->8050 8052 25a497d 8049->8052 8051 25aebed 6 API calls 8050->8051 8051->8052 8053 25a4861 IsBadWritePtr 8054 25a4876 8053->8054 8055 25a9961 RegisterServiceCtrlHandlerA 8056 25a997d 8055->8056 8063 25a99cb 8055->8063 8065 25a9892 8056->8065 8058 25a999a 8059 25a99ba 8058->8059 8060 25a9892 SetServiceStatus 8058->8060 8062 25a9892 SetServiceStatus 8059->8062 8059->8063 8061 25a99aa 8060->8061 8061->8059 8064 25a98f2 40 API calls 8061->8064 8062->8063 8064->8059 8066 25a98c2 SetServiceStatus 8065->8066 8066->8058 8235 25a5e21 8236 25a5e29 8235->8236 8237 25a5e36 8235->8237 8238 25a50dc 15 API calls 8236->8238 8238->8237 8239 25a35a5 8240 25a30fa 4 API calls 8239->8240 8241 25a35b3 8240->8241 8245 25a35ea 8241->8245 8246 25a355d 8241->8246 8243 25a35da 8244 25a355d 4 API calls 8243->8244 8243->8245 8244->8245 8247 25af04e 4 API calls 8246->8247 8248 25a356a 8247->8248 8248->8243

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 025AC913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • closesocket.WS2_32(?), ref: 025ACA4E
                                                                                                                                                                                • closesocket.WS2_32(?), ref: 025ACB63
                                                                                                                                                                                • GetTempPathA.KERNEL32(00000120,?), ref: 025ACC28
                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 025ACCB4
                                                                                                                                                                                • WriteFile.KERNEL32(025AA4B3,?,-000000E8,?,00000000), ref: 025ACCDC
                                                                                                                                                                                • CloseHandle.KERNEL32(025AA4B3), ref: 025ACCED
                                                                                                                                                                                • wsprintfA.USER32 ref: 025ACD21
                                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 025ACD77
                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 025ACD89
                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 025ACD98
                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 025ACD9D
                                                                                                                                                                                • DeleteFileA.KERNEL32(?), ref: 025ACDC4
                                                                                                                                                                                • CloseHandle.KERNEL32(025AA4B3), ref: 025ACDCC
                                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 025ACFB1
                                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 025ACFEF
                                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 025AD033
                                                                                                                                                                                • lstrcatA.KERNEL32(?,03F00108), ref: 025AD10C
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080), ref: 025AD155
                                                                                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 025AD171
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000), ref: 025AD195
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 025AD19C
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002), ref: 025AD1C8
                                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 025AD231
                                                                                                                                                                                • lstrcatA.KERNEL32(?,03F00108,?,?,?,?,?,?,?,00000100), ref: 025AD27C
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 025AD2AB
                                                                                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 025AD2C7
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 025AD2EB
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 025AD2F2
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 025AD326
                                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 025AD372
                                                                                                                                                                                • lstrcatA.KERNEL32(?,03F00108,?,?,?,?,?,?,?,00000100), ref: 025AD3BD
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 025AD3EC
                                                                                                                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 025AD408
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 025AD428
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 025AD42F
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 025AD45B
                                                                                                                                                                                • CreateProcessA.KERNEL32(?,025B0264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 025AD4DE
                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 025AD4F4
                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 025AD4FC
                                                                                                                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 025AD513
                                                                                                                                                                                • closesocket.WS2_32(?), ref: 025AD56C
                                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 025AD577
                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 025AD583
                                                                                                                                                                                • wsprintfA.USER32 ref: 025AD81F
                                                                                                                                                                                  • Part of subcall function 025AC65C: send.WS2_32(00000000,?,00000000), ref: 025AC74B
                                                                                                                                                                                • closesocket.WS2_32(?), ref: 025ADAD5
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                                                                                                • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                                                                                                • API String ID: 562065436-1188463005
                                                                                                                                                                                • Opcode ID: 78e515f76d9b6a0a8133381edf881b3cbff643fbcf15fd79fab0da22e5927a77
                                                                                                                                                                                • Instruction ID: dbde9c55cd78c99c58654e23db9513c9792c7b1872bfb449ff6deb5f356af375
                                                                                                                                                                                • Opcode Fuzzy Hash: 78e515f76d9b6a0a8133381edf881b3cbff643fbcf15fd79fab0da22e5927a77
                                                                                                                                                                                • Instruction Fuzzy Hash: D3B2B571D41209AFEB11AF64DCAAFEE7BB9FB48304F04046AE505E7180E7309959DF68
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A9A6B Relevance: 100.5, APIs: 48, Strings: 9, Instructions: 799stringsleepregistryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 025A9A7F
                                                                                                                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 025A9A83
                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(025A6511), ref: 025A9A8A
                                                                                                                                                                                  • Part of subcall function 025AEC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 025AEC5E
                                                                                                                                                                                  • Part of subcall function 025AEC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 025AEC72
                                                                                                                                                                                  • Part of subcall function 025AEC54: GetTickCount.KERNEL32 ref: 025AEC78
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 025A9AB3
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 025A9ABA
                                                                                                                                                                                • GetCommandLineA.KERNEL32 ref: 025A9AFD
                                                                                                                                                                                • lstrlenA.KERNEL32(?), ref: 025A9B99
                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 025A9C06
                                                                                                                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 025A9CAC
                                                                                                                                                                                • lstrcpyA.KERNEL32(?,00000000), ref: 025A9D7A
                                                                                                                                                                                • lstrcatA.KERNEL32(?,?), ref: 025A9D8B
                                                                                                                                                                                • lstrcatA.KERNEL32(?,025B070C), ref: 025A9D9D
                                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 025A9DED
                                                                                                                                                                                • DeleteFileA.KERNEL32(00000022), ref: 025A9E38
                                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 025A9E6F
                                                                                                                                                                                • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 025A9EC8
                                                                                                                                                                                • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 025A9ED5
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 025A9F3B
                                                                                                                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 025A9F5E
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 025A9F6A
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 025A9FAD
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 025A9FB4
                                                                                                                                                                                • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 025A9FFE
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 025AA038
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,025B0A34), ref: 025AA05E
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000022), ref: 025AA072
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,025B0A34), ref: 025AA08D
                                                                                                                                                                                • wsprintfA.USER32 ref: 025AA0B6
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 025AA0DE
                                                                                                                                                                                • lstrcatA.KERNEL32(00000022,?), ref: 025AA0FD
                                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 025AA120
                                                                                                                                                                                • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 025AA131
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 025AA174
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 025AA17B
                                                                                                                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 025AA1B6
                                                                                                                                                                                • GetCommandLineA.KERNEL32 ref: 025AA1E5
                                                                                                                                                                                  • Part of subcall function 025A99D2: lstrcpyA.KERNEL32(?,?,00000100,025B22F8,00000000,?,025A9E9D,?,00000022,?,?,?,?,?,?,?), ref: 025A99DF
                                                                                                                                                                                  • Part of subcall function 025A99D2: lstrcatA.KERNEL32(00000022,00000000,?,?,025A9E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 025A9A3C
                                                                                                                                                                                  • Part of subcall function 025A99D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,025A9E9D,?,00000022,?,?,?), ref: 025A9A52
                                                                                                                                                                                • lstrlenA.KERNEL32(?), ref: 025AA288
                                                                                                                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 025AA3B7
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 025AA3ED
                                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 025AA400
                                                                                                                                                                                • DeleteFileA.KERNELBASE(025B33D8), ref: 025AA407
                                                                                                                                                                                • CreateThread.KERNELBASE(00000000,00000000,025A405E,00000000,00000000,00000000), ref: 025AA42C
                                                                                                                                                                                • WSAStartup.WS2_32(00001010,?), ref: 025AA43A
                                                                                                                                                                                • CreateThread.KERNELBASE(00000000,00000000,025A877E,00000000,00000000,00000000), ref: 025AA469
                                                                                                                                                                                • Sleep.KERNELBASE(00000BB8), ref: 025AA48A
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025AA49F
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025AA4B7
                                                                                                                                                                                • Sleep.KERNELBASE(00001A90), ref: 025AA4C3
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                                                                                                • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe$D$P$\$ptlohvde
                                                                                                                                                                                • API String ID: 2089075347-3407381469
                                                                                                                                                                                • Opcode ID: 1a744f0667b4f38c2a297fa9a839f4a63781ad6ab3d6ac2170be19943dc1cbdc
                                                                                                                                                                                • Instruction ID: 6d86ac99e88ebc1a981563c8d00cf417655e77cb55c03c7870823c5b9a22ad29
                                                                                                                                                                                • Opcode Fuzzy Hash: 1a744f0667b4f38c2a297fa9a839f4a63781ad6ab3d6ac2170be19943dc1cbdc
                                                                                                                                                                                • Instruction Fuzzy Hash: 755260B1C4025AAFDB129FA0CC5AEEF7BBDBF44304F1444A6E509A6140E7709A48CF69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A199C Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 106memorylibraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 791 25a199c-25a19cc inet_addr LoadLibraryA 792 25a19ce-25a19d0 791->792 793 25a19d5-25a19fe GetProcAddress * 3 791->793 794 25a1abf-25a1ac2 792->794 795 25a1ab3-25a1ab6 FreeLibrary 793->795 796 25a1a04-25a1a06 793->796 798 25a1abc 795->798 796->795 797 25a1a0c-25a1a0e 796->797 797->795 799 25a1a14-25a1a28 GetBestInterface GetProcessHeap 797->799 800 25a1abe 798->800 799->798 801 25a1a2e-25a1a40 799->801 800->794 801->798 803 25a1a42-25a1a50 GetAdaptersInfo 801->803 804 25a1a62-25a1a67 803->804 805 25a1a52-25a1a60 803->805 806 25a1a69-25a1a73 GetAdaptersInfo 804->806 807 25a1aa1-25a1aad FreeLibrary 804->807 805->804 806->807 810 25a1a75 806->810 807->798 808 25a1aaf-25a1ab1 807->808 808->800 811 25a1a77-25a1a80 810->811 812 25a1a8a-25a1a91 811->812 813 25a1a82-25a1a86 811->813 815 25a1a93 812->815 816 25a1a96-25a1a9b HeapFree 812->816 813->811 814 25a1a88 813->814 814->816 815->816 816->807
                                                                                                                                                                                APIs
                                                                                                                                                                                • inet_addr.WS2_32(123.45.67.89), ref: 025A19B1
                                                                                                                                                                                • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,025A1E9E), ref: 025A19BF
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 025A19E2
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 025A19ED
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 025A19F9
                                                                                                                                                                                • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,025A1E9E), ref: 025A1A1B
                                                                                                                                                                                • GetProcessHeap.KERNEL32(?,?,?,?,00000001,025A1E9E), ref: 025A1A1D
                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,025A1E9E), ref: 025A1A36
                                                                                                                                                                                • GetAdaptersInfo.IPHLPAPI(00000000,025A1E9E,?,?,?,?,00000001,025A1E9E), ref: 025A1A4A
                                                                                                                                                                                • HeapReAlloc.KERNEL32(?,00000000,00000000,025A1E9E,?,?,?,?,00000001,025A1E9E), ref: 025A1A5A
                                                                                                                                                                                • GetAdaptersInfo.IPHLPAPI(00000000,025A1E9E,?,?,?,?,00000001,025A1E9E), ref: 025A1A6E
                                                                                                                                                                                • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,025A1E9E), ref: 025A1A9B
                                                                                                                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,025A1E9E), ref: 025A1AA4
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                                                                                                                • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg$]Vw`'Vw
                                                                                                                                                                                • API String ID: 293628436-2743630432
                                                                                                                                                                                • Opcode ID: 5e225b13e22541c0678f790f982f7079174f379e176d11d8ebb6fe264b30bb68
                                                                                                                                                                                • Instruction ID: b52b49a75b586ac88c3c0608b94670fe426f6a6ab76f22d35400d887ba277b09
                                                                                                                                                                                • Opcode Fuzzy Hash: 5e225b13e22541c0678f790f982f7079174f379e176d11d8ebb6fe264b30bb68
                                                                                                                                                                                • Instruction Fuzzy Hash: 4F317E32D00209AFDB529FE4CD9A8BFBFB9FF44251F148569E10AA2140D7308E44DBA8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A7A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 696 25a7a95-25a7ac2 RegOpenKeyExA 697 25a7acb-25a7ae7 GetUserNameA 696->697 698 25a7ac4-25a7ac6 696->698 700 25a7aed-25a7b1e LookupAccountNameA 697->700 701 25a7da7-25a7db3 RegCloseKey 697->701 699 25a7db4-25a7db6 698->699 700->701 702 25a7b24-25a7b43 RegGetKeySecurity 700->702 701->699 702->701 703 25a7b49-25a7b61 GetSecurityDescriptorOwner 702->703 704 25a7bb8-25a7bd6 GetSecurityDescriptorDacl 703->704 705 25a7b63-25a7b72 EqualSid 703->705 707 25a7bdc-25a7be1 704->707 708 25a7da6 704->708 705->704 706 25a7b74-25a7b88 LocalAlloc 705->706 706->704 710 25a7b8a-25a7b94 InitializeSecurityDescriptor 706->710 707->708 709 25a7be7-25a7bf2 707->709 708->701 709->708 711 25a7bf8-25a7c08 GetAce 709->711 712 25a7bb1-25a7bb2 LocalFree 710->712 713 25a7b96-25a7ba4 SetSecurityDescriptorOwner 710->713 714 25a7c0e-25a7c1b 711->714 715 25a7cc6 711->715 712->704 713->712 716 25a7ba6-25a7bab RegSetKeySecurity 713->716 718 25a7c4f-25a7c52 714->718 719 25a7c1d-25a7c2f EqualSid 714->719 717 25a7cc9-25a7cd3 715->717 716->712 717->711 720 25a7cd9-25a7cdc 717->720 723 25a7c5f-25a7c71 EqualSid 718->723 724 25a7c54-25a7c5e 718->724 721 25a7c31-25a7c34 719->721 722 25a7c36-25a7c38 719->722 720->708 725 25a7ce2-25a7ce8 720->725 721->719 721->722 722->718 726 25a7c3a-25a7c4d DeleteAce 722->726 727 25a7c73-25a7c84 723->727 728 25a7c86 723->728 724->723 729 25a7d5a-25a7d6e LocalAlloc 725->729 730 25a7cea-25a7cf0 725->730 726->717 731 25a7c8b-25a7c8e 727->731 728->731 729->708 735 25a7d70-25a7d7a InitializeSecurityDescriptor 729->735 730->729 732 25a7cf2-25a7d0d RegOpenKeyExA 730->732 733 25a7c9d-25a7c9f 731->733 734 25a7c90-25a7c96 731->734 732->729 736 25a7d0f-25a7d16 732->736 737 25a7ca1-25a7ca5 733->737 738 25a7ca7-25a7cc3 733->738 734->733 739 25a7d9f-25a7da0 LocalFree 735->739 740 25a7d7c-25a7d8a SetSecurityDescriptorDacl 735->740 742 25a7d19-25a7d1e 736->742 737->715 737->738 738->715 739->708 740->739 741 25a7d8c-25a7d9a RegSetKeySecurity 740->741 741->739 743 25a7d9c 741->743 742->742 744 25a7d20-25a7d52 call 25a2544 RegSetValueExA 742->744 743->739 744->729 747 25a7d54 744->747 747->729
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 025A7ABA
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 025A7ADF
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,025B070C,?,?,?), ref: 025A7B16
                                                                                                                                                                                • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 025A7B3B
                                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 025A7B59
                                                                                                                                                                                • EqualSid.ADVAPI32(?,00000022), ref: 025A7B6A
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 025A7B7E
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 025A7B8C
                                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 025A7B9C
                                                                                                                                                                                • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 025A7BAB
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 025A7BB2
                                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,025A7FC9,?,00000000), ref: 025A7BCE
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                                                                                • String ID: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe$D
                                                                                                                                                                                • API String ID: 2976863881-2306690221
                                                                                                                                                                                • Opcode ID: c6c6550a1cba94fd5de46c680b72764dbce4f8e9caec0c67a091300202c926c5
                                                                                                                                                                                • Instruction ID: 6387624a93f5eff9e79178442bdc6ccc3049f47fa8ff9edcca764cfbaafb9db3
                                                                                                                                                                                • Opcode Fuzzy Hash: c6c6550a1cba94fd5de46c680b72764dbce4f8e9caec0c67a091300202c926c5
                                                                                                                                                                                • Instruction Fuzzy Hash: BEA14971D40219ABEF528FA0DC99EFFBFB9FB48304F044469E905E2180E7359A45DB68
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A7809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 748 25a7809-25a7837 GetUserNameA 749 25a7a8e-25a7a94 748->749 750 25a783d-25a786e LookupAccountNameA 748->750 750->749 751 25a7874-25a78a2 GetLengthSid GetFileSecurityA 750->751 751->749 752 25a78a8-25a78c3 GetSecurityDescriptorOwner 751->752 753 25a791d-25a793b GetSecurityDescriptorDacl 752->753 754 25a78c5-25a78da EqualSid 752->754 756 25a7a8d 753->756 757 25a7941-25a7946 753->757 754->753 755 25a78dc-25a78ed LocalAlloc 754->755 755->753 758 25a78ef-25a78f9 InitializeSecurityDescriptor 755->758 756->749 757->756 759 25a794c-25a7955 757->759 761 25a78fb-25a7909 SetSecurityDescriptorOwner 758->761 762 25a7916-25a7917 LocalFree 758->762 759->756 760 25a795b-25a796b GetAce 759->760 763 25a7a2a 760->763 764 25a7971-25a797e 760->764 761->762 765 25a790b-25a7910 SetFileSecurityA 761->765 762->753 768 25a7a2d-25a7a37 763->768 766 25a79ae-25a79b1 764->766 767 25a7980-25a7992 EqualSid 764->767 765->762 772 25a79be-25a79d0 EqualSid 766->772 773 25a79b3-25a79bd 766->773 769 25a7999-25a799b 767->769 770 25a7994-25a7997 767->770 768->760 771 25a7a3d-25a7a41 768->771 769->766 774 25a799d-25a79ac DeleteAce 769->774 770->767 770->769 771->756 775 25a7a43-25a7a54 LocalAlloc 771->775 776 25a79d2-25a79e3 772->776 777 25a79e5 772->777 773->772 774->768 775->756 778 25a7a56-25a7a60 InitializeSecurityDescriptor 775->778 779 25a79ea-25a79ed 776->779 777->779 780 25a7a62-25a7a71 SetSecurityDescriptorDacl 778->780 781 25a7a86-25a7a87 LocalFree 778->781 782 25a79f8-25a79fb 779->782 783 25a79ef-25a79f5 779->783 780->781 784 25a7a73-25a7a81 SetFileSecurityA 780->784 781->756 785 25a79fd-25a7a01 782->785 786 25a7a03-25a7a0e 782->786 783->782 784->781 789 25a7a83 784->789 785->763 785->786 787 25a7a19-25a7a24 786->787 788 25a7a10-25a7a17 786->788 790 25a7a27 787->790 788->790 789->781 790->763
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 025A782F
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 025A7866
                                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 025A7878
                                                                                                                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 025A789A
                                                                                                                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,025A7F63,?), ref: 025A78B8
                                                                                                                                                                                • EqualSid.ADVAPI32(?,025A7F63), ref: 025A78D2
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 025A78E3
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 025A78F1
                                                                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 025A7901
                                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 025A7910
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 025A7917
                                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 025A7933
                                                                                                                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 025A7963
                                                                                                                                                                                • EqualSid.ADVAPI32(?,025A7F63), ref: 025A798A
                                                                                                                                                                                • DeleteAce.ADVAPI32(?,00000000), ref: 025A79A3
                                                                                                                                                                                • EqualSid.ADVAPI32(?,025A7F63), ref: 025A79C5
                                                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 025A7A4A
                                                                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 025A7A58
                                                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 025A7A69
                                                                                                                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 025A7A79
                                                                                                                                                                                • LocalFree.KERNEL32(00000000), ref: 025A7A87
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                                                                                • String ID: D
                                                                                                                                                                                • API String ID: 3722657555-2746444292
                                                                                                                                                                                • Opcode ID: a10b2989ddc31cad1ea9670b29afa26432aaa95040e8f60845eca83692f662d9
                                                                                                                                                                                • Instruction ID: 5ae97cf79d0c82b5db8e525b165487e79a944d67f21b7a25f2246ba081ae1554
                                                                                                                                                                                • Opcode Fuzzy Hash: a10b2989ddc31cad1ea9670b29afa26432aaa95040e8f60845eca83692f662d9
                                                                                                                                                                                • Instruction Fuzzy Hash: D9813871D0021AAFDB62CFA4CD95BEFBFB8BB0C344F14456AE506E2140D7349645DBA8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A8328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 817 25a8328-25a833e call 25a7dd6 820 25a8348-25a8356 call 25a6ec3 817->820 821 25a8340-25a8343 817->821 825 25a846b-25a8474 820->825 826 25a835c-25a8378 call 25a73ff 820->826 822 25a877b-25a877d 821->822 827 25a847a-25a8480 825->827 828 25a85c2-25a85ce 825->828 834 25a837e-25a8384 826->834 835 25a8464-25a8466 826->835 827->828 832 25a8486-25a84ba call 25a2544 RegOpenKeyExA 827->832 830 25a85d0-25a85da call 25a675c 828->830 831 25a8615-25a8620 828->831 842 25a85df-25a85eb 830->842 838 25a8626-25a864c GetTempPathA call 25a8274 call 25aeca5 831->838 839 25a86a7-25a86b0 call 25a6ba7 831->839 848 25a8543-25a8571 call 25a2544 RegOpenKeyExA 832->848 849 25a84c0-25a84db RegQueryValueExA 832->849 834->835 840 25a838a-25a838d 834->840 841 25a8779-25a877a 835->841 869 25a864e-25a866f call 25aeca5 838->869 870 25a8671-25a86a4 call 25a2544 call 25aef00 call 25aee2a 838->870 858 25a8762 839->858 859 25a86b6-25a86bd call 25a7e2f 839->859 840->835 846 25a8393-25a8399 840->846 841->822 842->831 847 25a85ed-25a85ef 842->847 853 25a839c-25a83a1 846->853 847->831 854 25a85f1-25a85fa 847->854 877 25a8573-25a857b 848->877 878 25a85a5-25a85b7 call 25aee2a 848->878 856 25a84dd-25a84e1 849->856 857 25a8521-25a852d RegCloseKey 849->857 853->853 863 25a83a3-25a83af 853->863 854->831 865 25a85fc-25a860f call 25a24c2 854->865 856->857 867 25a84e3-25a84e6 856->867 857->848 864 25a852f-25a8541 call 25aeed1 857->864 862 25a8768-25a876b 858->862 880 25a875b-25a875c DeleteFileA 859->880 881 25a86c3-25a873b call 25aee2a * 2 lstrcpyA lstrlenA call 25a7fcf CreateProcessA 859->881 871 25a876d-25a8775 call 25aec2e 862->871 872 25a8776-25a8778 862->872 873 25a83b3-25a83ba 863->873 874 25a83b1 863->874 864->848 864->878 865->831 865->862 867->857 879 25a84e8-25a84f6 call 25aebcc 867->879 869->870 870->839 871->872 872->841 886 25a8450-25a845f call 25aee2a 873->886 887 25a83c0-25a83fb call 25a2544 RegOpenKeyExA 873->887 874->873 889 25a857e-25a8583 877->889 878->828 901 25a85b9-25a85c1 call 25aec2e 878->901 879->857 906 25a84f8-25a8513 RegQueryValueExA 879->906 880->858 925 25a874f-25a875a call 25a7ee6 call 25a7ead 881->925 926 25a873d-25a874d CloseHandle * 2 881->926 886->828 887->886 911 25a83fd-25a841c RegQueryValueExA 887->911 889->889 898 25a8585-25a859f RegSetValueExA RegCloseKey 889->898 898->878 901->828 906->857 907 25a8515-25a851e call 25aec2e 906->907 907->857 916 25a841e-25a8421 911->916 917 25a842d-25a8441 RegSetValueExA 911->917 916->917 921 25a8423-25a8426 916->921 922 25a8447-25a844a RegCloseKey 917->922 921->917 924 25a8428-25a842b 921->924 922->886 924->917 924->922 925->880 926->862
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 025A83F3
                                                                                                                                                                                • RegQueryValueExA.KERNELBASE(025B0750,?,00000000,?,025A8893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 025A8414
                                                                                                                                                                                • RegSetValueExA.KERNELBASE(025B0750,?,00000000,00000004,025A8893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 025A8441
                                                                                                                                                                                • RegCloseKey.ADVAPI32(025B0750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 025A844A
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Value$CloseOpenQuery
                                                                                                                                                                                • String ID: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe$localcfg
                                                                                                                                                                                • API String ID: 237177642-4107672054
                                                                                                                                                                                • Opcode ID: 6abcf58da43b7e5def6aec89f3cff39d544821187c304a0451b59bbfbb63f4ee
                                                                                                                                                                                • Instruction ID: e87615f728425fbb8bfa241fef41f073a79a1e0e3a1ef210f4d778e365ee543f
                                                                                                                                                                                • Opcode Fuzzy Hash: 6abcf58da43b7e5def6aec89f3cff39d544821187c304a0451b59bbfbb63f4ee
                                                                                                                                                                                • Instruction Fuzzy Hash: B5C182B1D40209BEEF12AFA4DC9AEEF7BBDFB48304F140865E901E6040E7305A549F29
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A1D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                APIs
                                                                                                                                                                                • GetVersionExA.KERNEL32 ref: 025A1DC6
                                                                                                                                                                                • GetSystemInfo.KERNELBASE(?), ref: 025A1DE8
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 025A1E03
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 025A1E0A
                                                                                                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 025A1E1B
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025A1FC9
                                                                                                                                                                                  • Part of subcall function 025A1BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 025A1C15
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                                                                                • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                                                                                                • API String ID: 4207808166-1381319158
                                                                                                                                                                                • Opcode ID: 50b6f2589eb992cf38187c1d8eb4bd3e02fda99c39087be508402950aa314611
                                                                                                                                                                                • Instruction ID: 26e1a1e3388a4583877764f94e94a1d32bd9ec85f71ea82a33aa9db8bef0a98a
                                                                                                                                                                                • Opcode Fuzzy Hash: 50b6f2589eb992cf38187c1d8eb4bd3e02fda99c39087be508402950aa314611
                                                                                                                                                                                • Instruction Fuzzy Hash: 495192B09047456FE360AF758C9BF6BBEECFF84748F04491DA58A82182D774A504CB6D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A73FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1001 25a73ff-25a7419 1002 25a741b 1001->1002 1003 25a741d-25a7422 1001->1003 1002->1003 1004 25a7426-25a742b 1003->1004 1005 25a7424 1003->1005 1006 25a742d 1004->1006 1007 25a7430-25a7435 1004->1007 1005->1004 1006->1007 1008 25a743a-25a7481 call 25a6dc2 call 25a2544 RegOpenKeyExA 1007->1008 1009 25a7437 1007->1009 1014 25a77f9-25a77fe call 25aee2a 1008->1014 1015 25a7487-25a749d call 25aee2a 1008->1015 1009->1008 1021 25a7801 1014->1021 1020 25a7703-25a770e RegEnumKeyA 1015->1020 1022 25a74a2-25a74b1 call 25a6cad 1020->1022 1023 25a7714-25a771d RegCloseKey 1020->1023 1024 25a7804-25a7808 1021->1024 1027 25a76ed-25a7700 1022->1027 1028 25a74b7-25a74cc call 25af1a5 1022->1028 1023->1021 1027->1020 1028->1027 1031 25a74d2-25a74f8 RegOpenKeyExA 1028->1031 1032 25a74fe-25a7530 call 25a2544 RegQueryValueExA 1031->1032 1033 25a7727-25a772a 1031->1033 1032->1033 1041 25a7536-25a753c 1032->1041 1035 25a772c-25a7740 call 25aef00 1033->1035 1036 25a7755-25a7764 call 25aee2a 1033->1036 1045 25a774b-25a774e 1035->1045 1046 25a7742-25a7745 RegCloseKey 1035->1046 1043 25a76df-25a76e2 1036->1043 1044 25a753f-25a7544 1041->1044 1043->1027 1047 25a76e4-25a76e7 RegCloseKey 1043->1047 1044->1044 1048 25a7546-25a754b 1044->1048 1049 25a77ec-25a77f7 RegCloseKey 1045->1049 1046->1045 1047->1027 1048->1036 1050 25a7551-25a756b call 25aee95 1048->1050 1049->1024 1050->1036 1053 25a7571-25a7593 call 25a2544 call 25aee95 1050->1053 1058 25a7599-25a75a0 1053->1058 1059 25a7753 1053->1059 1060 25a75c8-25a75d7 call 25aed03 1058->1060 1061 25a75a2-25a75c6 call 25aef00 call 25aed03 1058->1061 1059->1036 1066 25a75d8-25a75da 1060->1066 1061->1066 1068 25a75df-25a7623 call 25aee95 call 25a2544 call 25aee95 call 25aee2a 1066->1068 1069 25a75dc 1066->1069 1079 25a7626-25a762b 1068->1079 1069->1068 1079->1079 1080 25a762d-25a7634 1079->1080 1081 25a7637-25a763c 1080->1081 1081->1081 1082 25a763e-25a7642 1081->1082 1083 25a765c-25a7673 call 25aed23 1082->1083 1084 25a7644-25a7656 call 25aed77 1082->1084 1090 25a7680 1083->1090 1091 25a7675-25a767e 1083->1091 1084->1083 1089 25a7769-25a777c call 25aef00 1084->1089 1096 25a77e3-25a77e6 RegCloseKey 1089->1096 1093 25a7683-25a768e call 25a6cad 1090->1093 1091->1093 1098 25a7722-25a7725 1093->1098 1099 25a7694-25a76bf call 25af1a5 call 25a6c96 1093->1099 1096->1049 1100 25a76dd 1098->1100 1105 25a76d8 1099->1105 1106 25a76c1-25a76c7 1099->1106 1100->1043 1105->1100 1106->1105 1107 25a76c9-25a76d2 1106->1107 1107->1105 1108 25a777e-25a7797 GetFileAttributesExA 1107->1108 1109 25a779a-25a779f 1108->1109 1110 25a7799 1108->1110 1111 25a77a3-25a77a8 1109->1111 1112 25a77a1 1109->1112 1110->1109 1113 25a77aa-25a77c0 call 25aee08 1111->1113 1114 25a77c4-25a77c8 1111->1114 1112->1111 1113->1114 1116 25a77ca-25a77d6 call 25aef00 1114->1116 1117 25a77d7-25a77dc 1114->1117 1116->1117 1119 25a77de 1117->1119 1120 25a77e0-25a77e2 1117->1120 1119->1120 1120->1096
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,761311B0,00000000), ref: 025A7472
                                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,761311B0,00000000), ref: 025A74F0
                                                                                                                                                                                • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,761311B0,00000000), ref: 025A7528
                                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 025A764D
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,761311B0,00000000), ref: 025A76E7
                                                                                                                                                                                • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 025A7706
                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,761311B0,00000000), ref: 025A7717
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,761311B0,00000000), ref: 025A7745
                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,761311B0,00000000), ref: 025A77EF
                                                                                                                                                                                  • Part of subcall function 025AF1A5: lstrlenA.KERNEL32(000000C8,000000E4,025B22F8,000000C8,025A7150,?), ref: 025AF1AD
                                                                                                                                                                                • GetFileAttributesExA.KERNELBASE(00000022,00000000,?), ref: 025A778F
                                                                                                                                                                                • RegCloseKey.KERNELBASE(?), ref: 025A77E6
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                                                                                • String ID: "
                                                                                                                                                                                • API String ID: 3433985886-123907689
                                                                                                                                                                                • Opcode ID: 3ec0b717855eaab4c8f33574cf740c2ab9f1803781f894e214c032e983ac4cc0
                                                                                                                                                                                • Instruction ID: cebc1ff81fec8f7fb410896c3ac21fd11cc137307b8af47e0836786597e0511d
                                                                                                                                                                                • Opcode Fuzzy Hash: 3ec0b717855eaab4c8f33574cf740c2ab9f1803781f894e214c032e983ac4cc0
                                                                                                                                                                                • Instruction Fuzzy Hash: CCC1847194020AABDB129FA4DC56BEEBBB9FF49310F1404A5E504E6190EB31DA54CF68
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1123 25a675c-25a6778 1124 25a677a-25a677e SetFileAttributesA 1123->1124 1125 25a6784-25a67a2 CreateFileA 1123->1125 1124->1125 1126 25a67a4-25a67b2 CreateFileA 1125->1126 1127 25a67b5-25a67b8 1125->1127 1126->1127 1128 25a67ba-25a67bf SetFileAttributesA 1127->1128 1129 25a67c5-25a67c9 1127->1129 1128->1129 1130 25a67cf-25a67df GetFileSize 1129->1130 1131 25a6977-25a6986 1129->1131 1132 25a696b 1130->1132 1133 25a67e5-25a67e7 1130->1133 1134 25a696e-25a6971 FindCloseChangeNotification 1132->1134 1133->1132 1135 25a67ed-25a680b ReadFile 1133->1135 1134->1131 1135->1132 1136 25a6811-25a6824 SetFilePointer 1135->1136 1136->1132 1137 25a682a-25a6842 ReadFile 1136->1137 1137->1132 1138 25a6848-25a6861 SetFilePointer 1137->1138 1138->1132 1139 25a6867-25a6876 1138->1139 1140 25a6878-25a688f ReadFile 1139->1140 1141 25a68d5-25a68df 1139->1141 1143 25a68d2 1140->1143 1144 25a6891-25a689e 1140->1144 1141->1134 1142 25a68e5-25a68eb 1141->1142 1145 25a68ed 1142->1145 1146 25a68f0-25a68fe call 25aebcc 1142->1146 1143->1141 1147 25a68a0-25a68b5 1144->1147 1148 25a68b7-25a68ba 1144->1148 1145->1146 1146->1132 1155 25a6900-25a690b SetFilePointer 1146->1155 1150 25a68bd-25a68c3 1147->1150 1148->1150 1152 25a68c8-25a68ce 1150->1152 1153 25a68c5 1150->1153 1152->1140 1154 25a68d0 1152->1154 1153->1152 1154->1141 1156 25a695a-25a6969 call 25aec2e 1155->1156 1157 25a690d-25a6920 ReadFile 1155->1157 1156->1134 1157->1156 1158 25a6922-25a6958 1157->1158 1158->1134
                                                                                                                                                                                APIs
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,761311B0,00000000), ref: 025A677E
                                                                                                                                                                                • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,761311B0,00000000), ref: 025A679A
                                                                                                                                                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,761311B0,00000000), ref: 025A67B0
                                                                                                                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,761311B0,00000000), ref: 025A67BF
                                                                                                                                                                                • GetFileSize.KERNEL32(000000FF,00000000,?,761311B0,00000000), ref: 025A67D3
                                                                                                                                                                                • ReadFile.KERNELBASE(000000FF,?,00000040,025A8244,00000000,?,761311B0,00000000), ref: 025A6807
                                                                                                                                                                                • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,761311B0,00000000), ref: 025A681F
                                                                                                                                                                                • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,761311B0,00000000), ref: 025A683E
                                                                                                                                                                                • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,761311B0,00000000), ref: 025A685C
                                                                                                                                                                                • ReadFile.KERNEL32(000000FF,?,00000028,025A8244,00000000,?,761311B0,00000000), ref: 025A688B
                                                                                                                                                                                • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,761311B0,00000000), ref: 025A6906
                                                                                                                                                                                • ReadFile.KERNEL32(000000FF,?,00000000,025A8244,00000000,?,761311B0,00000000), ref: 025A691C
                                                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(000000FF,?,761311B0,00000000), ref: 025A6971
                                                                                                                                                                                  • Part of subcall function 025AEC2E: GetProcessHeap.KERNEL32(00000000,025AEA27,00000000,025AEA27,00000000), ref: 025AEC41
                                                                                                                                                                                  • Part of subcall function 025AEC2E: RtlFreeHeap.NTDLL(00000000), ref: 025AEC48
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1400801100-0
                                                                                                                                                                                • Opcode ID: 7a3065c04a5202e104b313de89cf9c0990afba908999251103a36c3a880d3e21
                                                                                                                                                                                • Instruction ID: 2298fac286eaaa5ce8790564ec53e6e991539d8a752aa8f7c25af34aa1a241e1
                                                                                                                                                                                • Opcode Fuzzy Hash: 7a3065c04a5202e104b313de89cf9c0990afba908999251103a36c3a880d3e21
                                                                                                                                                                                • Instruction Fuzzy Hash: 327134B1C0021EEFDF158FA4CC91AEEBBBDFB04314F14456AE915A6190E7309E92DB64
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A2011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1161 25a2011-25a201e 1162 25a2020-25a202f call 25af04e 1161->1162 1163 25a2034-25a203b 1161->1163 1162->1163 1164 25a203d-25a204c call 25af04e 1163->1164 1165 25a2051-25a2058 1163->1165 1164->1165 1169 25a205a-25a2069 call 25af04e 1165->1169 1170 25a206e-25a208e GetTickCount 1165->1170 1169->1170 1173 25a20db-25a20e5 GetTickCount 1170->1173 1174 25a2090-25a209a 1170->1174 1175 25a2132-25a2170 GetTickCount * 2 call 25af04e 1173->1175 1176 25a20e7-25a20f1 1173->1176 1178 25a209c 1174->1178 1179 25a20d4-25a20d6 GetTickCount 1174->1179 1187 25a21cb-25a21da call 25af04e 1175->1187 1188 25a2172-25a21a1 call 25ae854 call 25ae819 1175->1188 1181 25a212b-25a212d GetTickCount 1176->1181 1182 25a20f3 1176->1182 1183 25a20a1-25a20ab call 25a2684 1178->1183 1179->1173 1181->1175 1185 25a20f8-25a20fa call 25a2ef8 1182->1185 1194 25a20bf-25a20cc 1183->1194 1195 25a20ad-25a20bd call 25a1978 1183->1195 1193 25a20ff-25a2102 1185->1193 1204 25a21fa-25a2204 1187->1204 1205 25a21dc-25a21e7 call 25aea84 1187->1205 1213 25a21a3-25a21a7 1188->1213 1214 25a21c1 1188->1214 1200 25a2116-25a2123 1193->1200 1201 25a2104-25a2114 call 25a1978 1193->1201 1194->1183 1198 25a20ce 1194->1198 1195->1194 1208 25a20d0 1195->1208 1198->1179 1200->1185 1202 25a2125 1200->1202 1201->1200 1215 25a2127 1201->1215 1202->1181 1212 25a21ec-25a21f5 call 25af04e 1205->1212 1208->1179 1212->1204 1213->1214 1217 25a21a9-25a21bf call 25a1c5f 1213->1217 1214->1187 1215->1181 1217->1187
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025A2078
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025A20D4
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025A20DB
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025A212B
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025A2132
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025A2142
                                                                                                                                                                                  • Part of subcall function 025AF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,025AE342,00000000,7558EA50,80000001,00000000,025AE513,?,00000000,00000000,?,000000E4), ref: 025AF089
                                                                                                                                                                                  • Part of subcall function 025AF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,025AE342,00000000,7558EA50,80000001,00000000,025AE513,?,00000000,00000000,?,000000E4,000000C8), ref: 025AF093
                                                                                                                                                                                  • Part of subcall function 025AE854: lstrcpyA.KERNEL32(00000001,?,?,025AD8DF,00000001,localcfg,except_info,00100000,025B0264), ref: 025AE88B
                                                                                                                                                                                  • Part of subcall function 025AE854: lstrlenA.KERNEL32(00000001,?,025AD8DF,00000001,localcfg,except_info,00100000,025B0264), ref: 025AE899
                                                                                                                                                                                  • Part of subcall function 025A1C5F: wsprintfA.USER32 ref: 025A1CE1
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                                                                                                • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                                                                                                • API String ID: 3976553417-1522128867
                                                                                                                                                                                • Opcode ID: 5d4490d999308da744a930b2e90d34557c5c2653704418bdfd7e1c4c274ed8b9
                                                                                                                                                                                • Instruction ID: 3234badba868dcd2d7bfe3636738b19ef61a4b8df0d99f3d14a8fb667b94cc53
                                                                                                                                                                                • Opcode Fuzzy Hash: 5d4490d999308da744a930b2e90d34557c5c2653704418bdfd7e1c4c274ed8b9
                                                                                                                                                                                • Instruction Fuzzy Hash: 12510370D4834A4EE76AEF24ECA7B6ABFD5BB40314F000819DE06C6190DBB4D058EB2D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AF315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1221 25af315-25af332 1222 25af33b-25af372 call 25aee2a htons socket 1221->1222 1223 25af334-25af336 1221->1223 1227 25af382-25af39b ioctlsocket 1222->1227 1228 25af374-25af37d closesocket 1222->1228 1224 25af424-25af427 1223->1224 1229 25af3aa-25af3f0 connect select 1227->1229 1230 25af39d 1227->1230 1228->1224 1232 25af3f2-25af401 __WSAFDIsSet 1229->1232 1233 25af421 1229->1233 1231 25af39f-25af3a8 closesocket 1230->1231 1234 25af423 1231->1234 1232->1231 1235 25af403-25af416 ioctlsocket call 25af26d 1232->1235 1233->1234 1234->1224 1237 25af41b-25af41f 1235->1237 1237->1234
                                                                                                                                                                                APIs
                                                                                                                                                                                • htons.WS2_32(025ACA1D), ref: 025AF34D
                                                                                                                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 025AF367
                                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 025AF375
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: closesockethtonssocket
                                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                                • API String ID: 311057483-2401304539
                                                                                                                                                                                • Opcode ID: 1dcac43e6dc7d7de7d79d5407d1e3636c402176a26784026e61df8a1dc0567dc
                                                                                                                                                                                • Instruction ID: 80bc14daf5d75d145ffd2fb7c04dba224aff75755e61e908fa9d3e4f5194d011
                                                                                                                                                                                • Opcode Fuzzy Hash: 1dcac43e6dc7d7de7d79d5407d1e3636c402176a26784026e61df8a1dc0567dc
                                                                                                                                                                                • Instruction Fuzzy Hash: C6316B72940119ABDB119FA4EC869EFBBBCFF88310F104566F915D2140E7309A458BA8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A2D21 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 85memorylibrarystringCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1238 25a2d21-25a2d44 GetModuleHandleA 1239 25a2d5b-25a2d69 GetProcAddress 1238->1239 1240 25a2d46-25a2d52 LoadLibraryA 1238->1240 1241 25a2d54-25a2d56 1239->1241 1242 25a2d6b-25a2d7b DnsQuery_A 1239->1242 1240->1239 1240->1241 1243 25a2dee-25a2df1 1241->1243 1242->1241 1244 25a2d7d-25a2d88 1242->1244 1245 25a2d8a-25a2d8b 1244->1245 1246 25a2deb 1244->1246 1247 25a2d90-25a2d95 1245->1247 1246->1243 1248 25a2de2-25a2de8 1247->1248 1249 25a2d97-25a2d9f GetProcessHeap 1247->1249 1248->1247 1250 25a2dea 1248->1250 1251 25a2da6-25a2daa 1249->1251 1250->1246 1251->1250 1252 25a2dac-25a2dd9 call 25aee2a lstrcpynA 1251->1252 1255 25a2ddb-25a2dde 1252->1255 1256 25a2de0 1252->1256 1255->1248 1256->1248
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,76132640,?,00000000,025A2F01,?,025A20FF,025B2000), ref: 025A2D3A
                                                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 025A2D4A
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 025A2D61
                                                                                                                                                                                • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 025A2D77
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 025A2D99
                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 025A2DA0
                                                                                                                                                                                • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 025A2DCB
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                                                                                                                • String ID: DnsQuery_A$dnsapi.dll$]Vw`'Vw
                                                                                                                                                                                • API String ID: 1093190573-312264031
                                                                                                                                                                                • Opcode ID: 00f7fb7fbbaf86eeb07a41bcb0b38b8348c3591ff19e2f3aad1bc3985beb73d5
                                                                                                                                                                                • Instruction ID: 6ffb2ffa638a53f45afc4a829ad19d61ce5f199600c8841322205a556e43966d
                                                                                                                                                                                • Opcode Fuzzy Hash: 00f7fb7fbbaf86eeb07a41bcb0b38b8348c3591ff19e2f3aad1bc3985beb73d5
                                                                                                                                                                                • Instruction Fuzzy Hash: 4C219071D4062AABCB229F54DC5AAAFBFB9FF08B50F004416FC05E7141D370998687D8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1257 25a405e-25a407b CreateEventA 1258 25a407d-25a4081 1257->1258 1259 25a4084-25a40a8 call 25a3ecd call 25a4000 1257->1259 1264 25a40ae-25a40be call 25aee2a 1259->1264 1265 25a4130-25a413e call 25aee2a 1259->1265 1264->1265 1271 25a40c0-25a40f1 call 25aeca5 call 25a3f18 call 25a3f8c 1264->1271 1270 25a413f-25a4165 call 25a3ecd CreateNamedPipeA 1265->1270 1276 25a4188-25a4193 ConnectNamedPipe 1270->1276 1277 25a4167-25a4174 Sleep 1270->1277 1288 25a40f3-25a40ff 1271->1288 1289 25a4127-25a412a CloseHandle 1271->1289 1280 25a41ab-25a41c0 call 25a3f8c 1276->1280 1281 25a4195-25a41a5 GetLastError 1276->1281 1277->1270 1282 25a4176-25a4182 CloseHandle 1277->1282 1280->1276 1290 25a41c2-25a41f2 call 25a3f18 call 25a3f8c 1280->1290 1281->1280 1284 25a425e-25a4265 DisconnectNamedPipe 1281->1284 1282->1276 1284->1276 1288->1289 1291 25a4101-25a4121 call 25a3f18 ExitProcess 1288->1291 1289->1265 1290->1284 1298 25a41f4-25a4200 1290->1298 1298->1284 1299 25a4202-25a4215 call 25a3f8c 1298->1299 1299->1284 1302 25a4217-25a421b 1299->1302 1302->1284 1303 25a421d-25a4230 call 25a3f8c 1302->1303 1303->1284 1306 25a4232-25a4236 1303->1306 1306->1276 1307 25a423c-25a4251 call 25a3f18 1306->1307 1310 25a426a-25a4276 CloseHandle * 2 call 25ae318 1307->1310 1311 25a4253-25a4259 1307->1311 1313 25a427b 1310->1313 1311->1276 1313->1313
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 025A4070
                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 025A4121
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateEventExitProcess
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2404124870-0
                                                                                                                                                                                • Opcode ID: 9c6118c44bb0996944a0e727f072271807f5a2cf95eec0e62a999d2ff9469d09
                                                                                                                                                                                • Instruction ID: 89d013db6f24705972d8db71ae6f1a231d121fcc911b8b205f8ca7ff2c5c604d
                                                                                                                                                                                • Opcode Fuzzy Hash: 9c6118c44bb0996944a0e727f072271807f5a2cf95eec0e62a999d2ff9469d09
                                                                                                                                                                                • Instruction Fuzzy Hash: 14517FB1D40219BAEB21AAA0CC56FBF7ABDFF50718F000465F600B6080E7749A55DBA9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A80C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1314 25a80c9-25a80ed call 25a6ec3 1317 25a80f9-25a8115 call 25a704c 1314->1317 1318 25a80ef call 25a7ee6 1314->1318 1323 25a8225-25a822b 1317->1323 1324 25a811b-25a8121 1317->1324 1322 25a80f4 1318->1322 1322->1323 1325 25a826c-25a8273 1323->1325 1326 25a822d-25a8233 1323->1326 1324->1323 1327 25a8127-25a812a 1324->1327 1326->1325 1328 25a8235-25a823f call 25a675c 1326->1328 1327->1323 1329 25a8130-25a8167 call 25a2544 RegOpenKeyExA 1327->1329 1332 25a8244-25a824b 1328->1332 1335 25a816d-25a818b RegQueryValueExA 1329->1335 1336 25a8216-25a8222 call 25aee2a 1329->1336 1332->1325 1334 25a824d-25a8269 call 25a24c2 call 25aec2e 1332->1334 1334->1325 1338 25a818d-25a8191 1335->1338 1339 25a81f7-25a81fe 1335->1339 1336->1323 1338->1339 1344 25a8193-25a8196 1338->1344 1342 25a820d-25a8210 RegCloseKey 1339->1342 1343 25a8200-25a8206 call 25aec2e 1339->1343 1342->1336 1352 25a820c 1343->1352 1344->1339 1348 25a8198-25a81a8 call 25aebcc 1344->1348 1348->1342 1354 25a81aa-25a81c2 RegQueryValueExA 1348->1354 1352->1342 1354->1339 1355 25a81c4-25a81ca 1354->1355 1356 25a81cd-25a81d2 1355->1356 1356->1356 1357 25a81d4-25a81e5 call 25aebcc 1356->1357 1357->1342 1360 25a81e7-25a81f5 call 25aef00 1357->1360 1360->1352
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,761311B0,00000000), ref: 025A815F
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,025AA45F,?,?,00000000,00000101,?,?,?,?,761311B0,00000000), ref: 025A8187
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,025AA45F,?,?,00000000,00000101,?,?,?,?,761311B0,00000000), ref: 025A81BE
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,761311B0,00000000), ref: 025A8210
                                                                                                                                                                                  • Part of subcall function 025A675C: SetFileAttributesA.KERNEL32(?,00000080,?,761311B0,00000000), ref: 025A677E
                                                                                                                                                                                  • Part of subcall function 025A675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,761311B0,00000000), ref: 025A679A
                                                                                                                                                                                  • Part of subcall function 025A675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,761311B0,00000000), ref: 025A67B0
                                                                                                                                                                                  • Part of subcall function 025A675C: SetFileAttributesA.KERNEL32(?,00000002,?,761311B0,00000000), ref: 025A67BF
                                                                                                                                                                                  • Part of subcall function 025A675C: GetFileSize.KERNEL32(000000FF,00000000,?,761311B0,00000000), ref: 025A67D3
                                                                                                                                                                                  • Part of subcall function 025A675C: ReadFile.KERNELBASE(000000FF,?,00000040,025A8244,00000000,?,761311B0,00000000), ref: 025A6807
                                                                                                                                                                                  • Part of subcall function 025A675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,761311B0,00000000), ref: 025A681F
                                                                                                                                                                                  • Part of subcall function 025A675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,761311B0,00000000), ref: 025A683E
                                                                                                                                                                                  • Part of subcall function 025A675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,761311B0,00000000), ref: 025A685C
                                                                                                                                                                                  • Part of subcall function 025AEC2E: GetProcessHeap.KERNEL32(00000000,025AEA27,00000000,025AEA27,00000000), ref: 025AEC41
                                                                                                                                                                                  • Part of subcall function 025AEC2E: RtlFreeHeap.NTDLL(00000000), ref: 025AEC48
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                                                                                                • String ID: C:\Windows\SysWOW64\ptlohvde\wdkncqjt.exe
                                                                                                                                                                                • API String ID: 124786226-3552900515
                                                                                                                                                                                • Opcode ID: c3acf5208c426a815a2d8ae03b18d53be68e9a53c4ee455f45686cd7fc18b67a
                                                                                                                                                                                • Instruction ID: 0e9a7b00f93052f8fb29a177cb84da5651df714d8e3995d59755c43e3b7e6b08
                                                                                                                                                                                • Opcode Fuzzy Hash: c3acf5208c426a815a2d8ae03b18d53be68e9a53c4ee455f45686cd7fc18b67a
                                                                                                                                                                                • Instruction Fuzzy Hash: B94163B2D45109BFEB12AFA0DD96DBE7BBDFB44304F144866E905E2000E7309E589B6D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A1AC3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1363 25a1ac3-25a1adc LoadLibraryA 1364 25a1b6b-25a1b70 1363->1364 1365 25a1ae2-25a1af3 GetProcAddress 1363->1365 1366 25a1b6a 1365->1366 1367 25a1af5-25a1b01 1365->1367 1366->1364 1368 25a1b1c-25a1b27 GetAdaptersAddresses 1367->1368 1369 25a1b29-25a1b2b 1368->1369 1370 25a1b03-25a1b12 call 25aebed 1368->1370 1372 25a1b5b-25a1b5e 1369->1372 1373 25a1b2d-25a1b32 1369->1373 1370->1369 1378 25a1b14-25a1b1b 1370->1378 1375 25a1b69 1372->1375 1377 25a1b60-25a1b68 call 25aec2e 1372->1377 1373->1375 1376 25a1b34-25a1b3b 1373->1376 1375->1366 1379 25a1b3d-25a1b52 1376->1379 1380 25a1b54-25a1b59 1376->1380 1377->1375 1378->1368 1379->1379 1379->1380 1380->1372 1380->1376
                                                                                                                                                                                APIs
                                                                                                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 025A1AD4
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 025A1AE9
                                                                                                                                                                                • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 025A1B20
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                                                                                                                • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                                                                                                • API String ID: 3646706440-1087626847
                                                                                                                                                                                • Opcode ID: 317567453b32a9ca1f5c34b16949886a3bba80912a2298224ea545d240445eee
                                                                                                                                                                                • Instruction ID: 187a8fbf22c1c430ef1814708d9c3140632168838695d450b2c6b5dfb5b54d02
                                                                                                                                                                                • Opcode Fuzzy Hash: 317567453b32a9ca1f5c34b16949886a3bba80912a2298224ea545d240445eee
                                                                                                                                                                                • Instruction Fuzzy Hash: 8B11B771E0252CBFDB169BA8CD968EEFFBAFB44B10F148055E019A7140E7308A44DB98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AE3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1383 25ae3ca-25ae3ee RegOpenKeyExA 1384 25ae528-25ae52d 1383->1384 1385 25ae3f4-25ae3fb 1383->1385 1386 25ae3fe-25ae403 1385->1386 1386->1386 1387 25ae405-25ae40f 1386->1387 1388 25ae411-25ae413 1387->1388 1389 25ae414-25ae452 call 25aee08 call 25af1ed RegQueryValueExA 1387->1389 1388->1389 1394 25ae458-25ae486 call 25af1ed RegQueryValueExA 1389->1394 1395 25ae51d-25ae527 RegCloseKey 1389->1395 1398 25ae488-25ae48a 1394->1398 1395->1384 1398->1395 1399 25ae490-25ae4a1 call 25adb2e 1398->1399 1399->1395 1402 25ae4a3-25ae4a6 1399->1402 1403 25ae4a9-25ae4d3 call 25af1ed RegQueryValueExA 1402->1403 1406 25ae4e8-25ae4ea 1403->1406 1407 25ae4d5-25ae4da 1403->1407 1406->1395 1409 25ae4ec-25ae516 call 25a2544 call 25ae332 1406->1409 1407->1406 1408 25ae4dc-25ae4e6 1407->1408 1408->1403 1408->1406 1409->1395
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000001,025AE5F2,00000000,00020119,025AE5F2,025B22F8), ref: 025AE3E6
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(025AE5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 025AE44E
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(025AE5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 025AE482
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(025AE5F2,?,00000000,?,80000001,?), ref: 025AE4CF
                                                                                                                                                                                • RegCloseKey.ADVAPI32(025AE5F2,?,?,?,?,000000C8,000000E4), ref: 025AE520
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: QueryValue$CloseOpen
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1586453840-0
                                                                                                                                                                                • Opcode ID: 7987005692a77532741708702524544d54b41193fa06c2ba52388ce176e2a355
                                                                                                                                                                                • Instruction ID: 83bd018e5ec10c9bcb74ecdb5f30d1ffb0a86e0e3c89afce786ae202c06422b2
                                                                                                                                                                                • Opcode Fuzzy Hash: 7987005692a77532741708702524544d54b41193fa06c2ba52388ce176e2a355
                                                                                                                                                                                • Instruction Fuzzy Hash: F14107B2D4021EBFDF11AFA8DC92DEEBBBDFB48304F544466E910A2150E3319A159F64
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AF26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1414 25af26d-25af303 setsockopt * 5
                                                                                                                                                                                APIs
                                                                                                                                                                                • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 025AF2A0
                                                                                                                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 025AF2C0
                                                                                                                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 025AF2DD
                                                                                                                                                                                • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 025AF2EC
                                                                                                                                                                                • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 025AF2FD
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: setsockopt
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3981526788-0
                                                                                                                                                                                • Opcode ID: cddc2c40a9714d5dc1986ec22bc883cceba7e37c7f1dfea27abb53b21b469098
                                                                                                                                                                                • Instruction ID: c919086a3ab940ee25185577919a3d4f117126608e8c496f2d994afcbeeb9bf1
                                                                                                                                                                                • Opcode Fuzzy Hash: cddc2c40a9714d5dc1986ec22bc883cceba7e37c7f1dfea27abb53b21b469098
                                                                                                                                                                                • Instruction Fuzzy Hash: 77110DB1A40248BAEF11DF94CD41FDE7FBCEB44751F004066BB04EA1D0E6B19A44DB94
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A1BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 025A1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 025A1AD4
                                                                                                                                                                                  • Part of subcall function 025A1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 025A1AE9
                                                                                                                                                                                  • Part of subcall function 025A1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 025A1B20
                                                                                                                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 025A1C15
                                                                                                                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 025A1C51
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                                                                                                • String ID: hi_id$localcfg
                                                                                                                                                                                • API String ID: 2794401326-2393279970
                                                                                                                                                                                • Opcode ID: b1417488262fca44639ebbe097232201fde5cef343e1e5fd4e59a40a914a5a96
                                                                                                                                                                                • Instruction ID: 01b8da59af58f459e35c73af02ac2caf02fb5ca02d99661b3078f4076c08ad5c
                                                                                                                                                                                • Opcode Fuzzy Hash: b1417488262fca44639ebbe097232201fde5cef343e1e5fd4e59a40a914a5a96
                                                                                                                                                                                • Instruction Fuzzy Hash: A10180B2A4461CBBEB50DEE8C8E69FFBABCBB44655F104875E706E3140D2309E4496A4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A1B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 025A1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 025A1AD4
                                                                                                                                                                                  • Part of subcall function 025A1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 025A1AE9
                                                                                                                                                                                  • Part of subcall function 025A1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 025A1B20
                                                                                                                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 025A1BA3
                                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,025A1EFD,00000000,00000000,00000000,00000000), ref: 025A1BB8
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 2794401326-1857712256
                                                                                                                                                                                • Opcode ID: 3053d43507fa4f6f8874561e5f31730350c2e3581d056b277d05ca04b645282c
                                                                                                                                                                                • Instruction ID: 0c621566febc86dd18607c95d8e2d580e4864b718a04a7664ee013a6a470b08a
                                                                                                                                                                                • Opcode Fuzzy Hash: 3053d43507fa4f6f8874561e5f31730350c2e3581d056b277d05ca04b645282c
                                                                                                                                                                                • Instruction Fuzzy Hash: 0C014FB6D0050CBFE7019AE9C8829EFFABDAB48654F154561A605E7180D5705E084AB4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A2684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • inet_addr.WS2_32(00000002), ref: 025A2693
                                                                                                                                                                                • gethostbyname.WS2_32(00000002), ref: 025A269F
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: gethostbynameinet_addr
                                                                                                                                                                                • String ID: time_cfg
                                                                                                                                                                                • API String ID: 1594361348-2401304539
                                                                                                                                                                                • Opcode ID: 212e9e79548c1d27c65ed5bd8bc48db0c04f8e5703ddf5d9ec9b7d3539920afc
                                                                                                                                                                                • Instruction ID: 46ecb859e18b267ded6a248658e1f4c35b6658ce3a14c146b5f08ffb8714abf6
                                                                                                                                                                                • Opcode Fuzzy Hash: 212e9e79548c1d27c65ed5bd8bc48db0c04f8e5703ddf5d9ec9b7d3539920afc
                                                                                                                                                                                • Instruction Fuzzy Hash: 4DE08C30A050118FCB918F2CF456A9E7BA4AF06230F018580F840C7190CB30DC809688
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AEBCC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,80000001,025AEBFE,7FFF0001,?,025ADB55,7FFF0001), ref: 025AEBD3
                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,?,025ADB55,7FFF0001), ref: 025AEBDA
                                                                                                                                                                                  • Part of subcall function 025AEB74: GetProcessHeap.KERNEL32(00000000,00000000,025AEC28,00000000,?,025ADB55,7FFF0001), ref: 025AEB81
                                                                                                                                                                                  • Part of subcall function 025AEB74: HeapSize.KERNEL32(00000000,?,025ADB55,7FFF0001), ref: 025AEB88
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$Process$AllocateSize
                                                                                                                                                                                • String ID: ]Vw`'Vw
                                                                                                                                                                                • API String ID: 2559512979-147723481
                                                                                                                                                                                • Opcode ID: af6f329e08b9b5efe200114491360e27f9a81b8d13777df86c266609ad323c52
                                                                                                                                                                                • Instruction ID: 4d66b88f9ee1e6a718d1d89c0506c22fd6f3c8c0ae544adacb77700056734c45
                                                                                                                                                                                • Opcode Fuzzy Hash: af6f329e08b9b5efe200114491360e27f9a81b8d13777df86c266609ad323c52
                                                                                                                                                                                • Instruction Fuzzy Hash: 99C0803254522067C6463BA4BC0DFDF3E98EF84352F040414F505C1190C73048509799
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AE52E Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 025ADD05: GetTickCount.KERNEL32 ref: 025ADD0F
                                                                                                                                                                                  • Part of subcall function 025ADD05: InterlockedExchange.KERNEL32(025B36B4,00000001), ref: 025ADD44
                                                                                                                                                                                  • Part of subcall function 025ADD05: GetCurrentThreadId.KERNEL32 ref: 025ADD53
                                                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,761311B0,?,00000000,?,025AA445), ref: 025AE558
                                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,761311B0,?,00000000,?,025AA445), ref: 025AE583
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,761311B0,?,00000000,?,025AA445), ref: 025AE5B2
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3683885500-0
                                                                                                                                                                                • Opcode ID: c7b42356cd0976a324074602dbd4ae6025ecc1da36eb43510558894091ed4927
                                                                                                                                                                                • Instruction ID: fa6f95f9b1d2f000b4e5c6e1154ab55550fd5f912af882f9dc14a93f7b978530
                                                                                                                                                                                • Opcode Fuzzy Hash: c7b42356cd0976a324074602dbd4ae6025ecc1da36eb43510558894091ed4927
                                                                                                                                                                                • Instruction Fuzzy Hash: 9321F8B19802063AF2617E21DC27FAF3E1EFF95750F000864BE0AB51D2FA51E81489BD
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A877E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 100sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • Sleep.KERNELBASE(000003E8), ref: 025A88A5
                                                                                                                                                                                  • Part of subcall function 025AF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,025AE342,00000000,7558EA50,80000001,00000000,025AE513,?,00000000,00000000,?,000000E4), ref: 025AF089
                                                                                                                                                                                  • Part of subcall function 025AF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,025AE342,00000000,7558EA50,80000001,00000000,025AE513,?,00000000,00000000,?,000000E4,000000C8), ref: 025AF093
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Time$FileSystem$Sleep
                                                                                                                                                                                • String ID: localcfg$rresolv
                                                                                                                                                                                • API String ID: 1561729337-486471987
                                                                                                                                                                                • Opcode ID: 1c0453455c2875146bd46454d36de354e522044a213c360409ab44dc79a84c42
                                                                                                                                                                                • Instruction ID: 6a9d6f263563f8a8aef426037db8ccc75edb33d60aa25f69601c74c57d27a1ef
                                                                                                                                                                                • Opcode Fuzzy Hash: 1c0453455c2875146bd46454d36de354e522044a213c360409ab44dc79a84c42
                                                                                                                                                                                • Instruction Fuzzy Hash: 562198319883036AF355BB65EC6BBBE7AD9BB84722F600C19F904D60C0EFA145544DBD
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A4000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,025B22F8,025A42B6,00000000,00000001,025B22F8,00000000,?,025A98FD), ref: 025A4021
                                                                                                                                                                                • GetLastError.KERNEL32(?,025A98FD,00000001,00000100,025B22F8,025AA3C7), ref: 025A402C
                                                                                                                                                                                • Sleep.KERNEL32(000001F4,?,025A98FD,00000001,00000100,025B22F8,025AA3C7), ref: 025A4046
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateErrorFileLastSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 408151869-0
                                                                                                                                                                                • Opcode ID: 7a52bd9e0f73563d144a4a580ba822ac36a3cc4e0586f88537e91cf227a0bc0f
                                                                                                                                                                                • Instruction ID: 935fb799109073701c3a4c26319513e377a900e75e859d5106b9b12f11afcff8
                                                                                                                                                                                • Opcode Fuzzy Hash: 7a52bd9e0f73563d144a4a580ba822ac36a3cc4e0586f88537e91cf227a0bc0f
                                                                                                                                                                                • Instruction Fuzzy Hash: 89F08931644145AED7710A64AC5773E3651FB81724F658B14F3B5E50D0C7B04485B61D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025ADB67 Relevance: 4.5, APIs: 3, Instructions: 32filestringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetEnvironmentVariableA.KERNEL32(025ADC19,?,00000104), ref: 025ADB7F
                                                                                                                                                                                • lstrcpyA.KERNEL32(?,025B28F8), ref: 025ADBA4
                                                                                                                                                                                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 025ADBC2
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2536392590-0
                                                                                                                                                                                • Opcode ID: 5918f254799dac3ccf10006f9e36d5f9289c5ac9615d8c96a9876660ebf2b697
                                                                                                                                                                                • Instruction ID: 6afa7f7e8909c0e0c71051eb681cb4823e316d40e9b47d292c486c241ed99550
                                                                                                                                                                                • Opcode Fuzzy Hash: 5918f254799dac3ccf10006f9e36d5f9289c5ac9615d8c96a9876660ebf2b697
                                                                                                                                                                                • Instruction Fuzzy Hash: BAF0B47054020DABEF11DF64DC4AFEA3B69BB04348F504594BB51A40D0D7F2D559DF18
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AEC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 025AEC5E
                                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 025AEC72
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025AEC78
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1209300637-0
                                                                                                                                                                                • Opcode ID: bce84f5dc1e860d15b662e4dcab7ab22c5d4b3c5c60ac9cc5eb9b3653e9e7570
                                                                                                                                                                                • Instruction ID: e6fbe9915fa8777d0afc5d65028467ae9a663a962661530e99183d9b68797db6
                                                                                                                                                                                • Opcode Fuzzy Hash: bce84f5dc1e860d15b662e4dcab7ab22c5d4b3c5c60ac9cc5eb9b3653e9e7570
                                                                                                                                                                                • Instruction Fuzzy Hash: F5E09AF5C50208BFEB46AFB4DC4AE7B77BCEB08314F900A50B911D60D0EA70DA189B64
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A30B5 Relevance: 3.0, APIs: 2, Instructions: 29networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • gethostname.WS2_32(?,00000080), ref: 025A30D8
                                                                                                                                                                                • gethostbyname.WS2_32(?), ref: 025A30E2
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: gethostbynamegethostname
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3961807697-0
                                                                                                                                                                                • Opcode ID: 5f81fab3e8ca608f7b564f973176c09da4d0427cd4d56e73fb549dabf5008af3
                                                                                                                                                                                • Instruction ID: 47a126fcec86114240cee14780f60e8d54ab54b675523d5826030ae9b16cc84c
                                                                                                                                                                                • Opcode Fuzzy Hash: 5f81fab3e8ca608f7b564f973176c09da4d0427cd4d56e73fb549dabf5008af3
                                                                                                                                                                                • Instruction Fuzzy Hash: FCE06571D00119ABCF409BA8EC86F9F77ACBB04208F180461F905E3280EA34E5088794
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AEC2E Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 025AEBA0: GetProcessHeap.KERNEL32(00000000,00000000,025AEC0A,00000000,80000001,?,025ADB55,7FFF0001), ref: 025AEBAD
                                                                                                                                                                                  • Part of subcall function 025AEBA0: HeapSize.KERNEL32(00000000,?,025ADB55,7FFF0001), ref: 025AEBB4
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,025AEA27,00000000,025AEA27,00000000), ref: 025AEC41
                                                                                                                                                                                • RtlFreeHeap.NTDLL(00000000), ref: 025AEC48
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$Process$FreeSize
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1305341483-0
                                                                                                                                                                                • Opcode ID: 18112ed3d42e8ce59d546855745f7892bb9acb57cf02853b314b724e89e75949
                                                                                                                                                                                • Instruction ID: aed09315aaaf8e60fe7c55ec7e8831d5e451d0fb98c7555d9db3526ac2c7b995
                                                                                                                                                                                • Opcode Fuzzy Hash: 18112ed3d42e8ce59d546855745f7892bb9acb57cf02853b314b724e89e75949
                                                                                                                                                                                • Instruction Fuzzy Hash: 01C012328462306BC5963A50BC2FF9F6B5CAF85651F090809F505670808760984056ED
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AF43E Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • recv.WS2_32(000000C8,?,00000000,025ACA44), ref: 025AF476
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: recv
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1507349165-0
                                                                                                                                                                                • Opcode ID: b9bb44d7bdd0160cbe20b75e79c7bc6a0a558e1223f30d1577c20ebbb3817a21
                                                                                                                                                                                • Instruction ID: db089069a1c187451455122d71deca18b051af36dfe727321baed6a2540450b3
                                                                                                                                                                                • Opcode Fuzzy Hash: b9bb44d7bdd0160cbe20b75e79c7bc6a0a558e1223f30d1577c20ebbb3817a21
                                                                                                                                                                                • Instruction Fuzzy Hash: 93F01C7220555AABDB119E9ADC84CAF7FAEFBC9250B040522FA14D7110D632E8258BA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A1978 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • closesocket.WS2_32(00000000), ref: 025A1992
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: closesocket
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2781271927-0
                                                                                                                                                                                • Opcode ID: 7916c928b969a1438efcf97dea71b794e0cf336bffaadd15915a20c120324e19
                                                                                                                                                                                • Instruction ID: d533241c7f3e2b4afecd61d47f867344edfa6cb4df635d8ec8b0430b8043d056
                                                                                                                                                                                • Opcode Fuzzy Hash: 7916c928b969a1438efcf97dea71b794e0cf336bffaadd15915a20c120324e19
                                                                                                                                                                                • Instruction Fuzzy Hash: 5FD022225486322A42412718F80047FEB8CFF442A2B00841AFC48C0150C730C841879A
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025ADD84 Relevance: 1.3, APIs: 1, Instructions: 31stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • lstrcmpiA.KERNEL32(80000011,00000000), ref: 025ADDB5
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcmpi
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1586166983-0
                                                                                                                                                                                • Opcode ID: aa19fb1740475fc6b8549b89737ecef6fe8264d0e0661e671a2eeb5ce62d3799
                                                                                                                                                                                • Instruction ID: 58fbf8f0e2f333239db53ea42dc5a760439d28b2a4b28a81de232a54129a0ca2
                                                                                                                                                                                • Opcode Fuzzy Hash: aa19fb1740475fc6b8549b89737ecef6fe8264d0e0661e671a2eeb5ce62d3799
                                                                                                                                                                                • Instruction Fuzzy Hash: 4EF08231602206CBCB21EE35985566ABBF4FF46229F144C2EE155D3940D730D855CB25
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                Function 025A637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,025A9816,EntryPoint), ref: 025A638F
                                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,025A9816,EntryPoint), ref: 025A63A9
                                                                                                                                                                                • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 025A63CA
                                                                                                                                                                                • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 025A63EB
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1965334864-0
                                                                                                                                                                                • Opcode ID: b92c2ae1b2254f2ad4b027cf033fda06e93683bcd533db3976473bb19b15117e
                                                                                                                                                                                • Instruction ID: ad6c4dcd945fa8097e8ad6a4af684fc966af8e45447243b029c57be9faa17de7
                                                                                                                                                                                • Opcode Fuzzy Hash: b92c2ae1b2254f2ad4b027cf033fda06e93683bcd533db3976473bb19b15117e
                                                                                                                                                                                • Instruction Fuzzy Hash: C71191B1A40219BFDB118E65DC4AF9B3FACFB047A4F154424F905EB280D770DC108AA8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A1000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,00000000,025A1839,025A9646), ref: 025A1012
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 025A10C2
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 025A10E1
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 025A1101
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 025A1121
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 025A1140
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 025A1160
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 025A1180
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 025A119F
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtClose), ref: 025A11BF
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 025A11DF
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 025A11FE
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 025A121A
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                                                                                                • API String ID: 2238633743-3228201535
                                                                                                                                                                                • Opcode ID: ec3ed6fcd2c2727c2c2f42abdddd6a8dad132f65d32c1e1ae00c1a045995fea4
                                                                                                                                                                                • Instruction ID: 3b66a903debc4811b26d333b96a225c50ab5d70acdc28ef9e89d9da44437cb86
                                                                                                                                                                                • Opcode Fuzzy Hash: ec3ed6fcd2c2727c2c2f42abdddd6a8dad132f65d32c1e1ae00c1a045995fea4
                                                                                                                                                                                • Instruction Fuzzy Hash: 30510431986E01B7E7A38E6DEC627663AA47B4C324F1487969828F21D0C770D099EF5D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AB211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 025AB2B3
                                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 025AB2C2
                                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 025AB2D0
                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 025AB2E1
                                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 025AB31A
                                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 025AB329
                                                                                                                                                                                • wsprintfA.USER32 ref: 025AB3B7
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                                                                                                • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                                                                                                • API String ID: 766114626-2976066047
                                                                                                                                                                                • Opcode ID: 699d2bd7f3f5a7704a3cf2fb8b42191ba2d302cf92d26b20e1b8d8e79e3d9328
                                                                                                                                                                                • Instruction ID: 92d7748f79220cd14a837d83c6fc4e2fb581a92a5a545282a2a0d7a5c2640213
                                                                                                                                                                                • Opcode Fuzzy Hash: 699d2bd7f3f5a7704a3cf2fb8b42191ba2d302cf92d26b20e1b8d8e79e3d9328
                                                                                                                                                                                • Instruction Fuzzy Hash: AE513CB1E00218AACF56CFD4D9995FFFBF9BF48305F10445AE501A6190D3348A89CB98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A6511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                                                                                                • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                                                                                                • API String ID: 2400214276-165278494
                                                                                                                                                                                • Opcode ID: 45f9d89fd387d83e5832d17c40c91549c92f68ffbfe29dfc61b2a634926e13fa
                                                                                                                                                                                • Instruction ID: 4f80aefc3b3ed5c508a9d03a6c058b564b636934555a90c3b259269ff901a41f
                                                                                                                                                                                • Opcode Fuzzy Hash: 45f9d89fd387d83e5832d17c40c91549c92f68ffbfe29dfc61b2a634926e13fa
                                                                                                                                                                                • Instruction Fuzzy Hash: ED617B72950208AFEF619FB4DC46FEE77E9FF08300F144469F969D2161EA70A9548F28
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AA7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • wsprintfA.USER32 ref: 025AA7FB
                                                                                                                                                                                • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 025AA87E
                                                                                                                                                                                • send.WS2_32(00000000,?,00000000,00000000), ref: 025AA893
                                                                                                                                                                                • wsprintfA.USER32 ref: 025AA8AF
                                                                                                                                                                                • send.WS2_32(00000000,.,00000005,00000000), ref: 025AA8D2
                                                                                                                                                                                • wsprintfA.USER32 ref: 025AA8E2
                                                                                                                                                                                • recv.WS2_32(00000000,?,000003F6,00000000), ref: 025AA97C
                                                                                                                                                                                • wsprintfA.USER32 ref: 025AA9B9
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wsprintf$send$lstrlenrecv
                                                                                                                                                                                • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                                                                                                • API String ID: 3650048968-2394369944
                                                                                                                                                                                • Opcode ID: bdbf67d38798cab579c7ab8a6f6b3b5bd47e784a98008a261b1c9a6f57aa0669
                                                                                                                                                                                • Instruction ID: d0981929cfe7304caa32df6bb6b1e0a991b1c1ede14c49629d83e152ba09375b
                                                                                                                                                                                • Opcode Fuzzy Hash: bdbf67d38798cab579c7ab8a6f6b3b5bd47e784a98008a261b1c9a6f57aa0669
                                                                                                                                                                                • Instruction Fuzzy Hash: F8A10C7194430AABEF228E54DCA7FBE7B79BB40318F140866F902A6090DB719958CB5D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A2A62 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 194networkmemoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7612F620), ref: 025A2A83
                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,7612F620), ref: 025A2A86
                                                                                                                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 025A2AA0
                                                                                                                                                                                • htons.WS2_32(00000000), ref: 025A2ADB
                                                                                                                                                                                • select.WS2_32 ref: 025A2B28
                                                                                                                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 025A2B4A
                                                                                                                                                                                • htons.WS2_32(?), ref: 025A2B71
                                                                                                                                                                                • htons.WS2_32(?), ref: 025A2B8C
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 025A2BFB
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                                                                                                • String ID: ]Vw`'Vw
                                                                                                                                                                                • API String ID: 1639031587-147723481
                                                                                                                                                                                • Opcode ID: e7cd0477d33fd5f9668e4ec5c92524f3a1a299c33fda336c50ed5e46e065a04f
                                                                                                                                                                                • Instruction ID: 648ce03b1032f11bf0adca145c8be2ea651207a40aca21a904b41ee57dd536b2
                                                                                                                                                                                • Opcode Fuzzy Hash: e7cd0477d33fd5f9668e4ec5c92524f3a1a299c33fda336c50ed5e46e065a04f
                                                                                                                                                                                • Instruction Fuzzy Hash: E061B071904305ABD7219F64DC6BB6FBBE8FB88795F000809FD49D7180D7B0D8488BAA
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A1280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 025A139A
                                                                                                                                                                                • lstrlenW.KERNEL32(-00000003), ref: 025A1571
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ExecuteShelllstrlen
                                                                                                                                                                                • String ID: $%systemroot%\system32\cmd.exe$<$@$@EJv$D$uac$useless$wusa.exe
                                                                                                                                                                                • API String ID: 1628651668-3954050976
                                                                                                                                                                                • Opcode ID: bff67474c32b7a17139206319b5a210766047f06ca48346b80c70ead4e3ee49f
                                                                                                                                                                                • Instruction ID: aca5e55bc052a5bb8b7ff183fd82e0e67ffe8fbdb2d4d98e8fa253287441f6c5
                                                                                                                                                                                • Opcode Fuzzy Hash: bff67474c32b7a17139206319b5a210766047f06ca48346b80c70ead4e3ee49f
                                                                                                                                                                                • Instruction Fuzzy Hash: 84F189B55087419FD321DF64C899BAEBBE5FB88304F008D1DF99A97280D774D848CB5A
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A2DF2 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 97memorylibrarynetworkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll,76132640,?,000DBBA0,?,00000000,025A2F0F,?,025A20FF,025B2000), ref: 025A2E01
                                                                                                                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,025A2F0F,?,025A20FF,025B2000), ref: 025A2E11
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 025A2E2E
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,025A2F0F,?,025A20FF,025B2000), ref: 025A2E4C
                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,025A2F0F,?,025A20FF,025B2000), ref: 025A2E4F
                                                                                                                                                                                • htons.WS2_32(00000035), ref: 025A2E88
                                                                                                                                                                                • inet_addr.WS2_32(?), ref: 025A2E93
                                                                                                                                                                                • gethostbyname.WS2_32(?), ref: 025A2EA6
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,00000000,025A2F0F,?,025A20FF,025B2000), ref: 025A2EE3
                                                                                                                                                                                • HeapFree.KERNEL32(00000000,?,00000000,025A2F0F,?,025A20FF,025B2000), ref: 025A2EE6
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                                                                                • String ID: GetNetworkParams$iphlpapi.dll$]Vw`'Vw
                                                                                                                                                                                • API String ID: 929413710-3538517857
                                                                                                                                                                                • Opcode ID: a1a08d8aad54d2d73c6892d5db8c038b17a426bd770849fda6bf69142855343a
                                                                                                                                                                                • Instruction ID: 5c0b3474958701caa76325f2d90a3ef5cd870da9b9e601a6f9a768155c2a7a11
                                                                                                                                                                                • Opcode Fuzzy Hash: a1a08d8aad54d2d73c6892d5db8c038b17a426bd770849fda6bf69142855343a
                                                                                                                                                                                • Instruction Fuzzy Hash: AF31BC31E4020AABDB129FB8985ABBF7BB8BF04364F140515ED14E72C0EB30C5959B68
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,761311B0,?,761311B0,00000000), ref: 025A70C2
                                                                                                                                                                                • RegEnumValueA.ADVAPI32(761311B0,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,761311B0,00000000), ref: 025A719E
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0,?,761311B0,00000000), ref: 025A71B2
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 025A7208
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 025A7291
                                                                                                                                                                                • ___ascii_stricmp.LIBCMT ref: 025A72C2
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 025A72D0
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 025A7314
                                                                                                                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 025A738D
                                                                                                                                                                                • RegCloseKey.ADVAPI32(761311B0), ref: 025A73D8
                                                                                                                                                                                  • Part of subcall function 025AF1A5: lstrlenA.KERNEL32(000000C8,000000E4,025B22F8,000000C8,025A7150,?), ref: 025AF1AD
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                                                                                                • String ID: $"
                                                                                                                                                                                • API String ID: 4293430545-3817095088
                                                                                                                                                                                • Opcode ID: 122028973ce2e8d6f09514aaafb6c2c41b5c68b2c00055727b07245c5a606d13
                                                                                                                                                                                • Instruction ID: 69cf47ff9e94f09e703aee2618242b2d403b41f48f0c2e466a86026ab9580ade
                                                                                                                                                                                • Opcode Fuzzy Hash: 122028973ce2e8d6f09514aaafb6c2c41b5c68b2c00055727b07245c5a606d13
                                                                                                                                                                                • Instruction Fuzzy Hash: 03B18371D4420AAEDF159FA4DC66BEFBBB9FF48300F100466F501E6090EB719A94CB68
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AAD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 025AAD98
                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 025AADA6
                                                                                                                                                                                  • Part of subcall function 025AAD08: gethostname.WS2_32(?,00000080), ref: 025AAD1C
                                                                                                                                                                                  • Part of subcall function 025AAD08: lstrlenA.KERNEL32(00000000), ref: 025AAD60
                                                                                                                                                                                  • Part of subcall function 025AAD08: lstrlenA.KERNEL32(00000000), ref: 025AAD69
                                                                                                                                                                                  • Part of subcall function 025AAD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 025AAD7F
                                                                                                                                                                                  • Part of subcall function 025A30B5: gethostname.WS2_32(?,00000080), ref: 025A30D8
                                                                                                                                                                                  • Part of subcall function 025A30B5: gethostbyname.WS2_32(?), ref: 025A30E2
                                                                                                                                                                                • wsprintfA.USER32 ref: 025AAEA5
                                                                                                                                                                                  • Part of subcall function 025AA7A3: inet_ntoa.WS2_32(?), ref: 025AA7A9
                                                                                                                                                                                • wsprintfA.USER32 ref: 025AAE4F
                                                                                                                                                                                • wsprintfA.USER32 ref: 025AAE5E
                                                                                                                                                                                  • Part of subcall function 025AEF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 025AEF92
                                                                                                                                                                                  • Part of subcall function 025AEF7C: lstrlenA.KERNEL32(?), ref: 025AEF99
                                                                                                                                                                                  • Part of subcall function 025AEF7C: lstrlenA.KERNEL32(00000000), ref: 025AEFA0
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                                                                                • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                                                                                                • API String ID: 3631595830-1816598006
                                                                                                                                                                                • Opcode ID: a68720a79e021c45145bef40bd104039582aaf94aa10e14431efffb0fb4b53b8
                                                                                                                                                                                • Instruction ID: 641105b471aee3a09b97e25141c1e0ead07c666baa4e4dd7b90ffd6103bafd4f
                                                                                                                                                                                • Opcode Fuzzy Hash: a68720a79e021c45145bef40bd104039582aaf94aa10e14431efffb0fb4b53b8
                                                                                                                                                                                • Instruction Fuzzy Hash: 8B413FB290020DABEF26EFA0DC56EEF3BADFF48340F14442AB91592151EA71D558CF58
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A9326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetVersionExA.KERNEL32(?,?,025A9DD7,?,00000022,?,?,00000000,00000001), ref: 025A9340
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,025A9DD7,?,00000022,?,?,00000000,00000001), ref: 025A936E
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,025A9DD7,?,00000022,?,?,00000000,00000001), ref: 025A9375
                                                                                                                                                                                • wsprintfA.USER32 ref: 025A93CE
                                                                                                                                                                                • wsprintfA.USER32 ref: 025A940C
                                                                                                                                                                                • wsprintfA.USER32 ref: 025A948D
                                                                                                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 025A94F1
                                                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 025A9526
                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 025A9571
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                                                                                • String ID: runas
                                                                                                                                                                                • API String ID: 3696105349-4000483414
                                                                                                                                                                                • Opcode ID: 5ffbd7e5010678d21bb5b29b26b5dd6378145d0eea132ebcb0e56230b7272ac2
                                                                                                                                                                                • Instruction ID: e3d09f4907c185475e1cc121299d7f9f683ef1fda147ad5201cc854cf71e4bd2
                                                                                                                                                                                • Opcode Fuzzy Hash: 5ffbd7e5010678d21bb5b29b26b5dd6378145d0eea132ebcb0e56230b7272ac2
                                                                                                                                                                                • Instruction Fuzzy Hash: 18A17CB1940258ABEB229FA4CC56FEF3BADFF48740F100426FA05D6191E7719944CFA9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AB3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • wsprintfA.USER32 ref: 025AB467
                                                                                                                                                                                  • Part of subcall function 025AEF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 025AEF92
                                                                                                                                                                                  • Part of subcall function 025AEF7C: lstrlenA.KERNEL32(?), ref: 025AEF99
                                                                                                                                                                                  • Part of subcall function 025AEF7C: lstrlenA.KERNEL32(00000000), ref: 025AEFA0
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$wsprintf
                                                                                                                                                                                • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                                                                                                • API String ID: 1220175532-2340906255
                                                                                                                                                                                • Opcode ID: e5750398be4e030d2fd746e3429f9716569a716913a5e29904482a290278f45d
                                                                                                                                                                                • Instruction ID: 898a6a054c31b79fb8ecbfec92538525f9f9a9f68e393a060899060faa6fbe1b
                                                                                                                                                                                • Opcode Fuzzy Hash: e5750398be4e030d2fd746e3429f9716569a716913a5e29904482a290278f45d
                                                                                                                                                                                • Instruction Fuzzy Hash: 864163B254011E7EEF01AA94CCD2CFFBB6DFF89648F140425F905A2040DB35A9158BB9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AC2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 025AA4C7: GetTickCount.KERNEL32 ref: 025AA4D1
                                                                                                                                                                                  • Part of subcall function 025AA4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 025AA4FA
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025AC31F
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025AC32B
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025AC363
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025AC378
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025AC44D
                                                                                                                                                                                • InterlockedIncrement.KERNEL32(025AC4E4), ref: 025AC4AE
                                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,025AB535,00000000,?,025AC4E0), ref: 025AC4C1
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,025AC4E0,025B3588,025A8810), ref: 025AC4CC
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 1553760989-1857712256
                                                                                                                                                                                • Opcode ID: 3298fbc783b9ca70fc436df2ce7bb737fd0475ae5edb56255e79cbebf64db993
                                                                                                                                                                                • Instruction ID: 4af33993acdb9bf0f93d5c551db23ed2a206a4ecebcf11a8af7c6617d528d39d
                                                                                                                                                                                • Opcode Fuzzy Hash: 3298fbc783b9ca70fc436df2ce7bb737fd0475ae5edb56255e79cbebf64db993
                                                                                                                                                                                • Instruction Fuzzy Hash: 8E515AB1A00B418FD7648F69C5A662ABBE9FB48305B505D3FE18BC7A90D774F844CB18
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025ABE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 025ABE4F
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 025ABE5B
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 025ABE67
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 025ABF6A
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 025ABF7F
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 025ABF94
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcmpi
                                                                                                                                                                                • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                                                                                                • API String ID: 1586166983-1625972887
                                                                                                                                                                                • Opcode ID: 0cacfa0bdceb2159ac1e461d0aed536c35fa3476368665ca337e2863682e324e
                                                                                                                                                                                • Instruction ID: 55cc8138099f63db2507f517083da2454dfd3629a17cb834d7adf46584883477
                                                                                                                                                                                • Opcode Fuzzy Hash: 0cacfa0bdceb2159ac1e461d0aed536c35fa3476368665ca337e2863682e324e
                                                                                                                                                                                • Instruction Fuzzy Hash: 7351A471A0021AEFDB119F64C8A2BAEBFA9BF5434CF484465E941AB250D730E941CFD8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A6A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76128A60,?,?,?,?,025A9A60,?,?,025A9E9D), ref: 025A6A7D
                                                                                                                                                                                • GetDiskFreeSpaceA.KERNEL32(025A9E9D,025A9A60,?,?,?,025B22F8,?,?,?,025A9A60,?,?,025A9E9D), ref: 025A6ABB
                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,025A9A60,?,?,025A9E9D), ref: 025A6B40
                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,025A9A60,?,?,025A9E9D), ref: 025A6B4E
                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,025A9A60,?,?,025A9E9D), ref: 025A6B5F
                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,025A9A60,?,?,025A9E9D), ref: 025A6B6F
                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,025A9A60,?,?,025A9E9D), ref: 025A6B7D
                                                                                                                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,025A9A60,?,?,025A9E9D), ref: 025A6B80
                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,025A9A60,?,?,025A9E9D,?,?,?,?,?,025A9E9D,?,00000022,?), ref: 025A6B96
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3188212458-0
                                                                                                                                                                                • Opcode ID: 382a9cc5dc0c6364f0636e6cffd7a5e62ee678a6c05d4d2dc9620fed59e04917
                                                                                                                                                                                • Instruction ID: 023d78f01ca8cf918666aa9b4ec4bc1ee63e86b9ba5cdd0245f89be7345db30b
                                                                                                                                                                                • Opcode Fuzzy Hash: 382a9cc5dc0c6364f0636e6cffd7a5e62ee678a6c05d4d2dc9620fed59e04917
                                                                                                                                                                                • Instruction Fuzzy Hash: A331DDB2D0114DBFCF029FA08856AAFBFBDFB88310F084966E611E3240D73085599F69
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A6F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetUserNameA.ADVAPI32(?,025AD7C3), ref: 025A6F7A
                                                                                                                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,025AD7C3), ref: 025A6FC1
                                                                                                                                                                                • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 025A6FE8
                                                                                                                                                                                • LocalFree.KERNEL32(00000120), ref: 025A701F
                                                                                                                                                                                • wsprintfA.USER32 ref: 025A7036
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                                                                                                • String ID: /%d$|
                                                                                                                                                                                • API String ID: 676856371-4124749705
                                                                                                                                                                                • Opcode ID: 158786704e56cade0ccd451bfda9a8a5abcf8cdec2830aefc79018712a4d1768
                                                                                                                                                                                • Instruction ID: 27f21ddfccccd4410eaa644a445d504ff50a8d1e6915172090e69f83da725bf3
                                                                                                                                                                                • Opcode Fuzzy Hash: 158786704e56cade0ccd451bfda9a8a5abcf8cdec2830aefc79018712a4d1768
                                                                                                                                                                                • Instruction Fuzzy Hash: 5B31FA72900219ABDB01DFA8D85AAEF7BBCFF04354F048566F959DB140EB35D6088F98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A6CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,025B22F8,000000E4,025A6DDC,000000C8), ref: 025A6CE7
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 025A6CEE
                                                                                                                                                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 025A6D14
                                                                                                                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 025A6D2B
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                                                                                • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                                                                                                • API String ID: 1082366364-3395550214
                                                                                                                                                                                • Opcode ID: 2846514cdb858b1265d0b740cabbd5c4f995b375042c2e1af5c32e3a4138d584
                                                                                                                                                                                • Instruction ID: 19b04a167d18fef0431997bd39c4d5149934fad2beda6b6f34ae16b7d35e3779
                                                                                                                                                                                • Opcode Fuzzy Hash: 2846514cdb858b1265d0b740cabbd5c4f995b375042c2e1af5c32e3a4138d584
                                                                                                                                                                                • Instruction Fuzzy Hash: 10210455A802457AFB235A338CABFBF3E8DAF42694F0C0854FD04EA0C0C7948449C2BE
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,025A9947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,025B22F8), ref: 025A97B1
                                                                                                                                                                                • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,025B22F8), ref: 025A97EB
                                                                                                                                                                                • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,025B22F8), ref: 025A97F9
                                                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,025B22F8), ref: 025A9831
                                                                                                                                                                                • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,025B22F8), ref: 025A984E
                                                                                                                                                                                • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,025B22F8), ref: 025A985B
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                                                                                • String ID: D
                                                                                                                                                                                • API String ID: 2981417381-2746444292
                                                                                                                                                                                • Opcode ID: 3bff2a3eed37fe1147e0e6ff3dd93ff92daa66995702c3759bbe040226d313bd
                                                                                                                                                                                • Instruction ID: 759c752446bd55eb5eb4c2fefe4d6f645dde176a2f31b682674c42820eeb58c9
                                                                                                                                                                                • Opcode Fuzzy Hash: 3bff2a3eed37fe1147e0e6ff3dd93ff92daa66995702c3759bbe040226d313bd
                                                                                                                                                                                • Instruction Fuzzy Hash: C4210C71D41129ABDB529FA1DC4AFEF7F7CFF05654F000461BA19E1080EB309654CAA8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A2923 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: ]Vw`'Vw
                                                                                                                                                                                • API String ID: 0-147723481
                                                                                                                                                                                • Opcode ID: 93417debb2295299fb05b60dd43ccb555b9dcf9dda52ac8afde701e40beb0726
                                                                                                                                                                                • Instruction ID: 62ee7bed141a99343137f4673cd5873e6d4dcd4935c998d69efc1d7c48ae6742
                                                                                                                                                                                • Opcode Fuzzy Hash: 93417debb2295299fb05b60dd43ccb555b9dcf9dda52ac8afde701e40beb0726
                                                                                                                                                                                • Instruction Fuzzy Hash: CA31B272A00309ABDB119FA5CC93BBEB7F5FF88701F10485AE905E6241E374D651CB58
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AE8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 025ADD05: GetTickCount.KERNEL32 ref: 025ADD0F
                                                                                                                                                                                  • Part of subcall function 025ADD05: InterlockedExchange.KERNEL32(025B36B4,00000001), ref: 025ADD44
                                                                                                                                                                                  • Part of subcall function 025ADD05: GetCurrentThreadId.KERNEL32 ref: 025ADD53
                                                                                                                                                                                  • Part of subcall function 025ADD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 025ADDB5
                                                                                                                                                                                • lstrcpynA.KERNEL32(?,025A1E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,025AEAAA,?,?), ref: 025AE8DE
                                                                                                                                                                                • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,025AEAAA,?,?,00000001,?,025A1E84,?), ref: 025AE935
                                                                                                                                                                                • lstrlenA.KERNEL32(00000001,?,?,?,?,?,025AEAAA,?,?,00000001,?,025A1E84,?,0000000A), ref: 025AE93D
                                                                                                                                                                                • lstrlenA.KERNEL32(00000000,?,?,?,?,?,025AEAAA,?,?,00000001,?,025A1E84,?), ref: 025AE94F
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                                                                                                • String ID: flags_upd$localcfg
                                                                                                                                                                                • API String ID: 204374128-3505511081
                                                                                                                                                                                • Opcode ID: b3e212319ad1e715f14bf21c2e82d79e0c4ed161748aaa08fd3e642b37ecb336
                                                                                                                                                                                • Instruction ID: 48029f72ec8c7f7d8e228618a1e3d71078cf07a1ec5d4ba4c796481214bd2b0e
                                                                                                                                                                                • Opcode Fuzzy Hash: b3e212319ad1e715f14bf21c2e82d79e0c4ed161748aaa08fd3e642b37ecb336
                                                                                                                                                                                • Instruction Fuzzy Hash: E0513E72D0020AAFCB11EFA8C996DAEBBFAFF48304F14456AE405A7610D735EA14CF54
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A6BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Code
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3609698214-0
                                                                                                                                                                                • Opcode ID: 28431c5e1d48329934ff3ad8ed77f4989c305a1967b977b42da260c37fccc061
                                                                                                                                                                                • Instruction ID: 1bf284871eb9e29dfbce6951323bc88391d35ebfa86b7deaef34335ee3ab84a7
                                                                                                                                                                                • Opcode Fuzzy Hash: 28431c5e1d48329934ff3ad8ed77f4989c305a1967b977b42da260c37fccc061
                                                                                                                                                                                • Instruction Fuzzy Hash: 8621A176905109FFDB126B70ED6ADAF3EACEB44764B140821F502E1080EB30DA04EA7C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A9064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTempPathA.KERNEL32(00000400,?,00000000,025B22F8), ref: 025A907B
                                                                                                                                                                                • wsprintfA.USER32 ref: 025A90E9
                                                                                                                                                                                • CreateFileA.KERNEL32(025B22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 025A910E
                                                                                                                                                                                • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 025A9122
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 025A912D
                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 025A9134
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2439722600-0
                                                                                                                                                                                • Opcode ID: f30db677cf29dfd540a8253f0b12c122d96b3f0cfcd8034efe25f2fe6096e41a
                                                                                                                                                                                • Instruction ID: b97ccd200a9bff46a630a13402bad09c3a472200ab393d6b6c6aa7e3f5517716
                                                                                                                                                                                • Opcode Fuzzy Hash: f30db677cf29dfd540a8253f0b12c122d96b3f0cfcd8034efe25f2fe6096e41a
                                                                                                                                                                                • Instruction Fuzzy Hash: 931187F6A405147BF7657A21DC1BEEF766FEFC4700F008465BB0AE6080EA704A159A68
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025ADD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025ADD0F
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 025ADD20
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025ADD2E
                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,761311B0,?,00000000,025AE538,?,761311B0,?,00000000,?,025AA445), ref: 025ADD3B
                                                                                                                                                                                • InterlockedExchange.KERNEL32(025B36B4,00000001), ref: 025ADD44
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 025ADD53
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3819781495-0
                                                                                                                                                                                • Opcode ID: 3a522cc125f21f0528e81c14b1f646ab21d4ac0165277f819e49b5512a205257
                                                                                                                                                                                • Instruction ID: 1bbc3abffb179f0a89096bde9be46a3b1f9d21b34b327636343a70d245ac441d
                                                                                                                                                                                • Opcode Fuzzy Hash: 3a522cc125f21f0528e81c14b1f646ab21d4ac0165277f819e49b5512a205257
                                                                                                                                                                                • Instruction Fuzzy Hash: 8DF0E971986108AFC7C27F75A886B3E3BB4F749351F400855E209D2180E720506DEF2D
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AAD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • gethostname.WS2_32(?,00000080), ref: 025AAD1C
                                                                                                                                                                                • lstrlenA.KERNEL32(00000000), ref: 025AAD60
                                                                                                                                                                                • lstrlenA.KERNEL32(00000000), ref: 025AAD69
                                                                                                                                                                                • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 025AAD7F
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$gethostnamelstrcpy
                                                                                                                                                                                • String ID: LocalHost
                                                                                                                                                                                • API String ID: 3695455745-3154191806
                                                                                                                                                                                • Opcode ID: 6c67fc53bdcfe25d5f43174175f9c1a2b7b44e49d7d6a0eca2085258dff70c84
                                                                                                                                                                                • Instruction ID: e0c4f40e526fbd10f3290567ecfeab2c99275c9e1f5f440ecb0a77b0c391b0ff
                                                                                                                                                                                • Opcode Fuzzy Hash: 6c67fc53bdcfe25d5f43174175f9c1a2b7b44e49d7d6a0eca2085258dff70c84
                                                                                                                                                                                • Instruction Fuzzy Hash: 7601F520C8428A5EDF324A38D866BBD7F76BB8664AF500455E4C09B155EF248087C7AE
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A4280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,025A98FD,00000001,00000100,025B22F8,025AA3C7), ref: 025A4290
                                                                                                                                                                                • CloseHandle.KERNEL32(025AA3C7), ref: 025A43AB
                                                                                                                                                                                • CloseHandle.KERNEL32(00000001), ref: 025A43AE
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle$CreateEvent
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1371578007-0
                                                                                                                                                                                • Opcode ID: fd13066362fb1b4a4750de4561e16e264e911d226d9f311370d1782ae79eac98
                                                                                                                                                                                • Instruction ID: fa8f7151ae119d46970fab2084a527b59db8a7bbae1b37a24225cd69794615b2
                                                                                                                                                                                • Opcode Fuzzy Hash: fd13066362fb1b4a4750de4561e16e264e911d226d9f311370d1782ae79eac98
                                                                                                                                                                                • Instruction Fuzzy Hash: E841B171C1020ABADF10ABA1DD96FAFBFBDFF40324F104556F604A6180D7748650DBA8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A6069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,025A64CF,00000000), ref: 025A609C
                                                                                                                                                                                • LoadLibraryA.KERNEL32(?,?,025A64CF,00000000), ref: 025A60C3
                                                                                                                                                                                • GetProcAddress.KERNEL32(?,00000014), ref: 025A614A
                                                                                                                                                                                • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 025A619E
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Read$AddressLibraryLoadProc
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2438460464-0
                                                                                                                                                                                • Opcode ID: 7b2d891105ad6d258e6c941bb546de0463350b30fae2d783fb2bbb4a1d28ba48
                                                                                                                                                                                • Instruction ID: cb032fabb61daca6c4b69378ec19864c2aa5a5ea8a7076c5204158325ca93206
                                                                                                                                                                                • Opcode Fuzzy Hash: 7b2d891105ad6d258e6c941bb546de0463350b30fae2d783fb2bbb4a1d28ba48
                                                                                                                                                                                • Instruction Fuzzy Hash: C4415A71E0020AAFDF14CF58C8A6B6EBBB9FF44358F188469E815D7291E730E944CB94
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A26FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025A272E
                                                                                                                                                                                • htons.WS2_32(00000001), ref: 025A2752
                                                                                                                                                                                • htons.WS2_32(0000000F), ref: 025A27D5
                                                                                                                                                                                • htons.WS2_32(00000001), ref: 025A27E3
                                                                                                                                                                                • sendto.WS2_32(?,025B2BF8,00000009,00000000,00000010,00000010), ref: 025A2802
                                                                                                                                                                                  • Part of subcall function 025AEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,025AEBFE,7FFF0001,?,025ADB55,7FFF0001), ref: 025AEBD3
                                                                                                                                                                                  • Part of subcall function 025AEBCC: RtlAllocateHeap.NTDLL(00000000,?,025ADB55,7FFF0001), ref: 025AEBDA
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1128258776-0
                                                                                                                                                                                • Opcode ID: ca8f13aab038345f714d4376220053f8e83506cc11518d4d3f035aa59b55e610
                                                                                                                                                                                • Instruction ID: 17f925ce6a54fc6af079a5b066cbca8da046a8c14842a681bd63e5aef06aca76
                                                                                                                                                                                • Opcode Fuzzy Hash: ca8f13aab038345f714d4376220053f8e83506cc11518d4d3f035aa59b55e610
                                                                                                                                                                                • Instruction Fuzzy Hash: 01318C34A883829FD7118F74D892A657B60FF18318F194C7DDC15CB302DA32D446EB28
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A9145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,025B22F8), ref: 025A915F
                                                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 025A9166
                                                                                                                                                                                • CharToOemA.USER32(?,?), ref: 025A9174
                                                                                                                                                                                • wsprintfA.USER32 ref: 025A91A9
                                                                                                                                                                                  • Part of subcall function 025A9064: GetTempPathA.KERNEL32(00000400,?,00000000,025B22F8), ref: 025A907B
                                                                                                                                                                                  • Part of subcall function 025A9064: wsprintfA.USER32 ref: 025A90E9
                                                                                                                                                                                  • Part of subcall function 025A9064: CreateFileA.KERNEL32(025B22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 025A910E
                                                                                                                                                                                  • Part of subcall function 025A9064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 025A9122
                                                                                                                                                                                  • Part of subcall function 025A9064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 025A912D
                                                                                                                                                                                  • Part of subcall function 025A9064: CloseHandle.KERNEL32(00000000), ref: 025A9134
                                                                                                                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 025A91E1
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3857584221-0
                                                                                                                                                                                • Opcode ID: 8616624351eb8b0705fadb70eeb33e8b45af4eceebb695d62cb198aa67ad7686
                                                                                                                                                                                • Instruction ID: 0142b74e9d2a38cae25a580e22e7793a6d9b40e33877494fdface071e8f15b55
                                                                                                                                                                                • Opcode Fuzzy Hash: 8616624351eb8b0705fadb70eeb33e8b45af4eceebb695d62cb198aa67ad7686
                                                                                                                                                                                • Instruction Fuzzy Hash: 630192F6C401187BDB61AA61CC4AFEF7B7CEB85701F0004A1BB09E2080E67096898F74
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A2419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,025A2491,?,?,?,025AE844,-00000030,?,?,?,00000001), ref: 025A2429
                                                                                                                                                                                • lstrlenA.KERNEL32(?,?,025A2491,?,?,?,025AE844,-00000030,?,?,?,00000001,025A1E3D,00000001,localcfg,lid_file_upd), ref: 025A243E
                                                                                                                                                                                • lstrcmpiA.KERNEL32(?,?), ref: 025A2452
                                                                                                                                                                                • lstrlenA.KERNEL32(?,?,025A2491,?,?,?,025AE844,-00000030,?,?,?,00000001,025A1E3D,00000001,localcfg,lid_file_upd), ref: 025A2467
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrlen$lstrcmpi
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 1808961391-1857712256
                                                                                                                                                                                • Opcode ID: e7b5b787dfafeb80ab61129a84fff55297405b0cd2c3c33f4c26d784855ec51a
                                                                                                                                                                                • Instruction ID: e17861306cf7de11d28a048c411af791c8061747006cc45651621e15b4636be3
                                                                                                                                                                                • Opcode Fuzzy Hash: e7b5b787dfafeb80ab61129a84fff55297405b0cd2c3c33f4c26d784855ec51a
                                                                                                                                                                                • Instruction Fuzzy Hash: A7011A31600218AFCF11EF69CC829DE7BA9FF44354B01C425EC59D7200E330EA548A98
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A1C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wsprintf
                                                                                                                                                                                • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                                                                                                • API String ID: 2111968516-120809033
                                                                                                                                                                                • Opcode ID: ffb2c4d434e540f7046ab54384cc0ceb90eee98a020cf1f5018557b73f1d634c
                                                                                                                                                                                • Instruction ID: 1c8dd6d5125f437b6dba35775ae5c57cf88f347242e05262d2117325e4bc65ca
                                                                                                                                                                                • Opcode Fuzzy Hash: ffb2c4d434e540f7046ab54384cc0ceb90eee98a020cf1f5018557b73f1d634c
                                                                                                                                                                                • Instruction Fuzzy Hash: FE4199729042999FDB22CFB88D65BEE3FE9AF49310F240056FDA4D3141D634EA05CBA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AE654 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 025ADD05: GetTickCount.KERNEL32 ref: 025ADD0F
                                                                                                                                                                                  • Part of subcall function 025ADD05: InterlockedExchange.KERNEL32(025B36B4,00000001), ref: 025ADD44
                                                                                                                                                                                  • Part of subcall function 025ADD05: GetCurrentThreadId.KERNEL32 ref: 025ADD53
                                                                                                                                                                                • lstrcmpA.KERNEL32(761311B8,00000000,?,761311B0,00000000,?,025A5EC1), ref: 025AE693
                                                                                                                                                                                • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,761311B0,00000000,?,025A5EC1), ref: 025AE6E9
                                                                                                                                                                                • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,761311B0,00000000,?,025A5EC1), ref: 025AE722
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                                                                                                • String ID: 89ABCDEF
                                                                                                                                                                                • API String ID: 3343386518-71641322
                                                                                                                                                                                • Opcode ID: b6fbcb088c496bf5d4ba8f153f3fc644fb3c3a1bd3bf580dc3be9887d8addfb4
                                                                                                                                                                                • Instruction ID: f15e50cab25d6a25958289b6a4eab733dbecb4a5714a4c766b5db744affd9a8b
                                                                                                                                                                                • Opcode Fuzzy Hash: b6fbcb088c496bf5d4ba8f153f3fc644fb3c3a1bd3bf580dc3be9887d8addfb4
                                                                                                                                                                                • Instruction Fuzzy Hash: AA31AF31A04746DBCB329E68E8A7BAF7BE4BF05314F104C3AE55687541E770E884CB99
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AE095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • RegCreateKeyExA.ADVAPI32(80000001,025AE2A3,00000000,00000000,00000000,00020106,00000000,025AE2A3,00000000,000000E4), ref: 025AE0B2
                                                                                                                                                                                • RegSetValueExA.ADVAPI32(025AE2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,025B22F8), ref: 025AE127
                                                                                                                                                                                • RegDeleteValueA.ADVAPI32(025AE2A3,?,?,?,?,?,000000C8,025B22F8), ref: 025AE158
                                                                                                                                                                                • RegCloseKey.ADVAPI32(025AE2A3,?,?,?,?,000000C8,025B22F8,?,?,?,?,?,?,?,?,025AE2A3), ref: 025AE161
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Value$CloseCreateDelete
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2667537340-0
                                                                                                                                                                                • Opcode ID: c554ba24da34b709c782e4a5634c536d49daabbead4ee9e12d4b4b9e7d3ef52f
                                                                                                                                                                                • Instruction ID: 6efc21baed21f53fb6a36d34bd15eac7ff8fae20854a3c3e4a61ebefc60a8981
                                                                                                                                                                                • Opcode Fuzzy Hash: c554ba24da34b709c782e4a5634c536d49daabbead4ee9e12d4b4b9e7d3ef52f
                                                                                                                                                                                • Instruction Fuzzy Hash: 7E214C71E0022EABDF219EA4DC8AEAF7FB9FF09750F004071F904A6150E6318A14DB94
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A3F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,025AA3C7,00000000,00000000,000007D0,00000001), ref: 025A3F44
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 025A3F4E
                                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 025A3F5F
                                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 025A3F72
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3373104450-0
                                                                                                                                                                                • Opcode ID: 425dff046e680bc1c41b9c4210d0e3a62a8e466fe87f0a530ac7c4e70b4e7170
                                                                                                                                                                                • Instruction ID: 71d2ac04ec257c0b501bb770a486576d29bd119810c25a76f86bd53980c8a720
                                                                                                                                                                                • Opcode Fuzzy Hash: 425dff046e680bc1c41b9c4210d0e3a62a8e466fe87f0a530ac7c4e70b4e7170
                                                                                                                                                                                • Instruction Fuzzy Hash: 76011372920109BBDB52DE90DD85BEF3BBCFB04369F404465FA01E2080D734DA648BAA
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A3F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,025AA3C7,00000000,00000000,000007D0,00000001), ref: 025A3FB8
                                                                                                                                                                                • GetLastError.KERNEL32 ref: 025A3FC2
                                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 025A3FD3
                                                                                                                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 025A3FE6
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 888215731-0
                                                                                                                                                                                • Opcode ID: 5c991f0320c1ecdbdd8ed35e3fac61d888ec3f41435b047f65fed09b1f98c793
                                                                                                                                                                                • Instruction ID: e190cd0281acde2fdc863bca6da07dc77253e9af976cccf1ce775e48be5f85e5
                                                                                                                                                                                • Opcode Fuzzy Hash: 5c991f0320c1ecdbdd8ed35e3fac61d888ec3f41435b047f65fed09b1f98c793
                                                                                                                                                                                • Instruction Fuzzy Hash: EB01D77292010AABDF11DF94D946BEF7BBCFB04359F404451F902E2040D774DA649BA5
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AA4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025AA4D1
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025AA4E4
                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,025AC2E9,025AC4E0,00000000,localcfg,?,025AC4E0,025B3588,025A8810), ref: 025AA4F1
                                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 025AA4FA
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                                • Opcode ID: c03c791ec26d47c30d547605949bbe8a010c14afde1f7a9a3734ddb7948d5eca
                                                                                                                                                                                • Instruction ID: fdc4e62b0b14ee41212d6c0c9b0b0b486ac78052be7d753724e27e4e6fd7fbd7
                                                                                                                                                                                • Opcode Fuzzy Hash: c03c791ec26d47c30d547605949bbe8a010c14afde1f7a9a3734ddb7948d5eca
                                                                                                                                                                                • Instruction Fuzzy Hash: 91E026332412185BCA002BA5AC84FBF37A8BB497A1F410421FA04D3180C616A855C1BE
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A4E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025A4E9E
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025A4EAD
                                                                                                                                                                                • Sleep.KERNEL32(0000000A,?,00000001), ref: 025A4EBA
                                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 025A4EC3
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                                • Opcode ID: b4f8681cb630e68972297199e4c260095a36e0f7c415e20f36df556aa3f549fa
                                                                                                                                                                                • Instruction ID: c2de3bd09275a2496c4aecd6b22871e4bb4ccfdd802c92cc227955513ceb7628
                                                                                                                                                                                • Opcode Fuzzy Hash: b4f8681cb630e68972297199e4c260095a36e0f7c415e20f36df556aa3f549fa
                                                                                                                                                                                • Instruction Fuzzy Hash: 47E0863264121857D6102AF9AC85F6B6649AB45361F410931E609D2180C696D85645FA
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A4BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025A4BDD
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025A4BEC
                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,02A2C1A4,025A50F2), ref: 025A4BF9
                                                                                                                                                                                • InterlockedExchange.KERNEL32(02A2C198,00000001), ref: 025A4C02
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                                • Opcode ID: 7ac9fe697fca9962b28d43b7bf59f25172e9337c6e814293912b83e8479399be
                                                                                                                                                                                • Instruction ID: dc764dbdbac2d2a96b3434fa402ca9558d294f638ead04b65593da8cde5397a5
                                                                                                                                                                                • Opcode Fuzzy Hash: 7ac9fe697fca9962b28d43b7bf59f25172e9337c6e814293912b83e8479399be
                                                                                                                                                                                • Instruction Fuzzy Hash: 2EE0863668221C57CA502AE95C81F7B7758AB85361F460862F608D2180C596D45545B9
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A30FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025A3103
                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 025A310F
                                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 025A311C
                                                                                                                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 025A3128
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2207858713-0
                                                                                                                                                                                • Opcode ID: 82f3283c3cb5bcd3eb7b86f3f449f18785284b63fc7be72adfb65d620b84276e
                                                                                                                                                                                • Instruction ID: 1b1ea6dfb383592f60cd3fa4c79c76c37285774aeae30306959898806e12fc79
                                                                                                                                                                                • Opcode Fuzzy Hash: 82f3283c3cb5bcd3eb7b86f3f449f18785284b63fc7be72adfb65d620b84276e
                                                                                                                                                                                • Instruction Fuzzy Hash: CEE0C231640219BBDB406FB5AD46B6E6A5AEF847A5F0108B2F201D20D0C65088149979
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A8CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTick
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 536389180-1857712256
                                                                                                                                                                                • Opcode ID: 4ef739c80e4f8101aba6b99f2774749397ecb8df70e6892891761039404568c4
                                                                                                                                                                                • Instruction ID: 3f86c741849c661b81e647e84fdb5672595593672d9e1f68a87a269327877d26
                                                                                                                                                                                • Opcode Fuzzy Hash: 4ef739c80e4f8101aba6b99f2774749397ecb8df70e6892891761039404568c4
                                                                                                                                                                                • Instruction Fuzzy Hash: E221D632A20515AFDB51DF78D8AA66FBFBAFF60354B290499D401EB101CB30E944CB5C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025ABFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Strings
                                                                                                                                                                                • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 025AC057
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CountTickwsprintf
                                                                                                                                                                                • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                                                                                                • API String ID: 2424974917-1012700906
                                                                                                                                                                                • Opcode ID: abed928c68d5b6d24eb2a5d9377fd9204fd1b9224376a3e95b01bd9e3b7f7730
                                                                                                                                                                                • Instruction ID: e15c5d8a6bf593bd60bae2aece3bc1c97556f3da6b72b341dc1905ec9d0e311a
                                                                                                                                                                                • Opcode Fuzzy Hash: abed928c68d5b6d24eb2a5d9377fd9204fd1b9224376a3e95b01bd9e3b7f7730
                                                                                                                                                                                • Instruction Fuzzy Hash: A6118672600100EFDB429EA9CD44E567FA6FF88318B34819CF6188A166D633D863EB50
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A38F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 025A30FA: GetTickCount.KERNEL32 ref: 025A3103
                                                                                                                                                                                  • Part of subcall function 025A30FA: InterlockedExchange.KERNEL32(?,00000001), ref: 025A3128
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 025A3929
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 025A3939
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                                • API String ID: 3716169038-2903620461
                                                                                                                                                                                • Opcode ID: 65993164cba317aeeafe1c6666b842d2cfd35cb565cac2603cd760303db7fdf2
                                                                                                                                                                                • Instruction ID: 348a81e23c21d032240e55b07d5188d20ccc55b59bb236c76fbe099ec8c426d6
                                                                                                                                                                                • Opcode Fuzzy Hash: 65993164cba317aeeafe1c6666b842d2cfd35cb565cac2603cd760303db7fdf2
                                                                                                                                                                                • Instruction Fuzzy Hash: 78116A71900209FFE761DF19D492A6DF7F5FB4871AF10899EE84497280C770AA84DFA8
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AAB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,025ABD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 025AABB9
                                                                                                                                                                                • InterlockedIncrement.KERNEL32(025B3640), ref: 025AABE1
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: IncrementInterlockedlstrcpyn
                                                                                                                                                                                • String ID: %FROM_EMAIL
                                                                                                                                                                                • API String ID: 224340156-2903620461
                                                                                                                                                                                • Opcode ID: d20cc6761f92610a6f327ea900c490ad10b6b7eeff14de6c0f1960becf89970e
                                                                                                                                                                                • Instruction ID: 097945a99d772ef17278c59a4ee0b6f65eee24d20fe8e6ebebe22029f8657dc7
                                                                                                                                                                                • Opcode Fuzzy Hash: d20cc6761f92610a6f327ea900c490ad10b6b7eeff14de6c0f1960becf89970e
                                                                                                                                                                                • Instruction Fuzzy Hash: 1E01B1319093C8AFEB22CF28D892F9A7FA6BF45314F144884F58057243C370E544CBA4
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A26B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 025A26C3
                                                                                                                                                                                • inet_ntoa.WS2_32(?), ref: 025A26E4
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: gethostbyaddrinet_ntoa
                                                                                                                                                                                • String ID: localcfg
                                                                                                                                                                                • API String ID: 2112563974-1857712256
                                                                                                                                                                                • Opcode ID: 5cfa8a80830e144e2b904066f957f3cdd2211be6a2b9f87b9feaccf69c362edb
                                                                                                                                                                                • Instruction ID: 6698a00efe2530433d3987c4795164968c13d1727ab94cf5df256e18ebb3c622
                                                                                                                                                                                • Opcode Fuzzy Hash: 5cfa8a80830e144e2b904066f957f3cdd2211be6a2b9f87b9feaccf69c362edb
                                                                                                                                                                                • Instruction Fuzzy Hash: B5F082325492096FEB016EA4EC17AAE3B9DEF04250F104425F908CA090DB71D950979C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025AEAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,025AEB54,_alldiv,025AF0B7,80000001,00000000,00989680,00000000,?,?,?,025AE342,00000000,7558EA50,80000001,00000000), ref: 025AEAF2
                                                                                                                                                                                • GetProcAddress.KERNEL32(77520000,00000000), ref: 025AEB07
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                                                • String ID: ntdll.dll
                                                                                                                                                                                • API String ID: 2574300362-2227199552
                                                                                                                                                                                • Opcode ID: b28ecc4cedbcb54587e235155862d9e4868e9c8d7136d11004cff89b7760f281
                                                                                                                                                                                • Instruction ID: d985f0feb4f189249ce152025904cfe740cd75c4e45cde5a4e02ffb46fbad01b
                                                                                                                                                                                • Opcode Fuzzy Hash: b28ecc4cedbcb54587e235155862d9e4868e9c8d7136d11004cff89b7760f281
                                                                                                                                                                                • Instruction Fuzzy Hash: D7D0C934E85B06AB9F974F78996FA5A7BE8BB40741B808865A40AE1100E730D42CEA0C
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Function 025A2F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 025A2D21: GetModuleHandleA.KERNEL32(00000000,76132640,?,00000000,025A2F01,?,025A20FF,025B2000), ref: 025A2D3A
                                                                                                                                                                                  • Part of subcall function 025A2D21: LoadLibraryA.KERNEL32(?), ref: 025A2D4A
                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 025A2F73
                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 025A2F7A
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000017.00000002.3738563627.00000000025A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_23_2_25a0000_svchost.jbxd
                                                                                                                                                                                Yara matches
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1017166417-0
                                                                                                                                                                                • Opcode ID: 9d37886f0f163bd9398a48aa0bc5790bfaa97e9c2a74338136b81cca15e268dd
                                                                                                                                                                                • Instruction ID: 25cf02137c26b9bce073b8f7f4a4a8a73d3d1fe74694dd61b911d1730723e7c9
                                                                                                                                                                                • Opcode Fuzzy Hash: 9d37886f0f163bd9398a48aa0bc5790bfaa97e9c2a74338136b81cca15e268dd
                                                                                                                                                                                • Instruction Fuzzy Hash: 1E51A171900246AFCB069F64D89AAFEBB75FF05304F1045A9EC96C7210E732DA19CB94
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%